Semgrep — Lightweight Static Analysis for Any Language

What it is

Semgrep is a fast, open-source static analysis tool that finds bugs and security vulnerabilities using patterns that look like the source code you are searching. Write rules in a syntax similar to the code itself, without needing compiler expertise or AST manipulation.

Semgrep targets security engineers, developers, and DevSecOps teams who want custom code analysis rules without the complexity of traditional SAST tools. It supports over 30 programming languages with a single rule syntax.

The project is actively maintained and suitable for both individual developers and teams looking to integrate it into their existing toolchain. Documentation and community support are available for onboarding.

How it saves time or tokens

Semgrep rules are readable by any developer, not just security specialists. A rule that catches SQL injection looks like the vulnerable code pattern itself. The Semgrep Registry provides thousands of pre-written rules for OWASP Top 10, framework-specific bugs, and code quality issues. Running Semgrep in CI takes seconds, not minutes like heavier analyzers.

How to use

1. Install Semgrep via pip (pip install semgrep) or Homebrew.
2. Run semgrep --config auto to scan with community-recommended rules.
3. Write custom rules in YAML targeting patterns specific to your codebase.
4. Add Semgrep to your CI pipeline to block PRs with security findings.

Example

# .semgrep/sql-injection.yaml
rules:
  - id: sql-injection-string-concat
    patterns:
      - pattern: |
          $QUERY = "..." + $INPUT + "..."
          cursor.execute($QUERY)
    message: >-
      SQL injection via string concatenation.
      Use parameterized queries instead.
    severity: ERROR
    languages: [python]

# Run the custom rule
semgrep --config .semgrep/sql-injection.yaml src/

# Run with the full community ruleset
semgrep --config auto --error

Related on TokRepo

• AI Tools for Security — Security scanning and vulnerability detection tools.
• AI Tools for Testing — Code quality and testing tools that complement static analysis.

Common pitfalls

• Running with --config auto in CI without reviewing findings first. Some rules may produce false positives for your codebase. Curate your rule set before enforcing.
• Writing rules that are too broad. A pattern like $X + $Y matches everything. Be specific about the dangerous pattern you want to catch.
• Not using metavariable-regex to constrain matches. Without constraints, rules match safe code patterns alongside vulnerable ones, creating noise.
• Not reading the changelog before upgrading. Breaking changes between versions can cause unexpected failures in production. Pin your version and review release notes.