A tool to generate a custom Semgrep ruleset from multiple sources
Project description
Semgrep-search
Did you ever want to search for semgrep rules from the registry and test your codebase against rules from the all search results?
semgrep-search allows you to search for languages, categories and severities and outputs a single YAML file that you can use with semgrep.
The database powering semgrep-search is automatically built continuously and published to ghcr.io through
oras via this project.
Installation
The easiest installation method is by using pip or pipx
For example using pip, semgrep-search can be installed by executing pip install semgrep-search
Usage
Creating rulesets
For example to search for all rules that test csharp code and are categorized as security-relevant run:
sgs -l csharp -c security
By default, semgrep-search will create a file rules.yaml in your current working directory.
Using -O you can specify a different path instead.
If the provided filename is -, semgrep-search write to STDOUT.
Updating rules
If semgrep-search does not find the database locally, the database will automatically be downloaded when the tool runs.
However, from time to time, there might be new rules added to the registry.
To update the rules, run semregp-search with --update, shorthand -u,
and the current state of the registry will be downloaded before searching for any rules.
Using the ruleset with semgrep
Use the ruleset with semgrep as follows semgrep -c rules.yaml src/
Known issues
The tool found more rules than the website
It appears as if semgrep.dev renamed cs (C# in the YAML files) to csharp,
however some old rules seem to exist as duplicates prefixed with cs however their web search filters these out.
I'm not quite sure why the JSON export still contains these and which other languages have been renamed in the past.
During database generation, languages will be normalized according to the table of languages from the Semgrep documentation.
The registry shows more rules when filtering for a language
There seems to be at least one language (C#) that is being used with two different names.
Therefore, semgrep-search contains a list of programming language aliases that the semgrep registry allows.
If you happen to be missing a rule, please check the language specified in the rule or open a ticket with details about the missing rule.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for semgrep_search-1.1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f603c8557180fea4f3cb2a90607c2d58275e56d778e039f172fd7033da171b26 |
|
| MD5 | 1498210dabd479257d6976364a655012 |
|
| BLAKE2b-256 | 8110e59177840a270dce1e85ab2caf6e268fefa51786c89f9a1d234bcc868e57 |
