Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
LGPL-2.1 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 3 years ago
const
qualifier is missing (#2978)--time
flag instead of --json-time
which shows a summary of the--json
is also presentsemgrep_main.invoke_semgrep
) now takes anOutputSettings
argument for controlling outputOutputSettings.json_time
has moved to OutputSettings.output_time
,OutputSettings
arguments have been made optional--debugging-json
flag in favor of --json
+ --debug
--json-time
flag in favor of --json
+ --time
Published by github-actions[bot] over 3 years ago
$...ARGS
. This used to be available only for JS/TS and is now available--optimizations [STR]
command-line flag to turn on/off some--optimizations
is equivalent to --optimizations all
, and--optimizations
is equivalent to --optimizations none
.<a href="foo">...</a>
(#2963)<a href=$X>some text</a>
(#2964)Published by github-actions[bot] over 3 years ago
extra
lines
data is now consistent across scan typessemgrep-core
, spacegrep
, pattern-regex
)Published by github-actions[bot] over 3 years ago
for(...)
for Java$FLD: { ... }
patternthis.that.check.yaml
..yaml
, YAML language tests end with .test.yaml
,.py
).Published by github-actions[bot] over 3 years ago
<... foo ...>
) now match within the bodies of anonymousgo
statement)Published by github-actions[bot] over 3 years ago
--experimental
flag for passing rules directly to semgrep-core (#2836)Published by github-actions[bot] over 3 years ago
$_COOKIE
(#2820)semgrep-core
onlyThese features are not yet available via the semgrep
CLI,
but have been fixed to the internal semgrep-core
binary.
Published by github-actions[bot] over 3 years ago
Published by github-actions[bot] over 3 years ago
patterns:
. Fixes #2548.--json-time
flag which reports runtimes for (rule, target file)--vim
flag for Syntasticrs
or rust
as a languagePublished by github-actions[bot] over 3 years ago
Published by github-actions[bot] over 3 years ago
semgrep-core
onlyThese features are not yet available via the semgrep
CLI,
but have been added to the internal semgrep-core
binary.
Published by github-actions[bot] over 3 years ago
:=
short assignment in Go. (#2440)Published by github-actions[bot] over 3 years ago
No new changes in this version. This is a re-release of 0.39.0 due to an error in the release process.
$X == $Y
can now match specific types like so: (char *$X) == $Y
. (#2431)semgrep-core
onlyThese features are not yet available via the semgrep
CLI, but have been added to the internal semgrep-core
binary.
semgrep-core
supports rules in JSON and Jsonnet format. (#2428)semgrep-core
supports a new nested format for combining patterns into a boolean query. (#2430)-c
is the new shorthand for --config
in the CLI. -f
is kept as an alias for backward-compatibility. (#2447)Published by github-actions[bot] over 3 years ago
Published by github-actions[bot] almost 4 years ago
Published by github-actions[bot] almost 4 years ago
setup.py
functionality (.whl
and pip
install unchanged):SEMGREP_SKIP_BIN
, SEMGREP_CORE_BIN
, and SPACEGREP_BIN
now availablePublished by github-actions[bot] almost 4 years ago
...
in chains of method calls in JS, e.g. $O.foo() ... .bar()
--test
(#1796)Published by github-actions[bot] almost 4 years ago
$...ARGS
....
inside a Golang switch
statement.try
, the catch
, or the finally
part of a try { } catch (e) { } finally { }
construct in JS/TS.if ()
part of an if () { }
construct in Java{..., $KEY: $VAL, ...}
.--json-stats
flag. The stats output contains the number of files and lines of code scanned, broken down by language. It also contains profiling data broken down by rule ID. Please note that as this is an experimental flag, the output format is subject to change in later releases.regex
as their language. The previously used language none
will keep working as well.--max-lines-per-finding
option.// nosemgrep
comment instead of the original // nosem
. The two keywords have identical behavior.semgrep-core
flag named -max_match_per_file
prevents these crashes by forcing a 'timeout' state when 10,000 matches are reached. Semgrep can then gracefully report what combination of rules and paths causes too much work.semgrep --debug
works again, and now outputs even more debugging information from semgrep-core
. The new debugging output is especially helpful to discover which rules have too many matches.$X & $Y
will now correctly match bitwise AND operations in Ruby.Published by github-actions[bot] almost 4 years ago
--severity
flag. Thanks @kishorbhat!def bar def foo
when thedef ... foo
, instead matching just def foo
... foo
to match what comes before foo
include $X
Published by github-actions[bot] almost 4 years ago
is_ignored
.false
under regular circumstances,--disable-nosem
,true
for findings// nosem
comment.