Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
LGPL-2.1 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 2 years ago
Published by github-actions[bot] over 2 years ago
Published by github-actions[bot] over 2 years ago
r2c-internal-project-depends-on
thatsemgrep login
and semgrep logout
to store API token from semgrep.devsemgrep --config policy
that uses stored API token to--verbose
) appear once per file,for(...)
patterns (#4530)Published by github-actions[bot] almost 3 years ago
x = foo.bar()
followed by a call x.baz()
, Semgrep will keepx
's definition, and it will successfully match x.baz()
with afoo.bar().baz()
. This feature should help writing simple yetoptions:
and settingsymbolic_propagation: true
. (#2783, #2859, #3207)--verbose
outputs a timing and file breakdown summary at the endmetavariable-comparison
now handles metavariables that bind to arbitraryPublished by github-actions[bot] almost 3 years ago
semgrep login
and semgrep logout
commands to save api tokenval List(x,y,z) = List(1,2,3)
to the generic ASTPublished by github-actions[bot] almost 3 years ago
Published by github-actions[bot] almost 3 years ago
Published by github-actions[bot] almost 3 years ago
class Foo<...>
(#4335)class $X { ...}
will now match class Foo<T> { }
$SINK->method
), and the LHS operand is a tainted-filter_irrelevant_rules
on rules with very large pattern-either
s (#4305)--debug
dumps--output
Semgrep will no longer print search results to stdout,Published by github-actions[bot] almost 3 years ago
--disable-nosem
still tagging findings with is_ignored
Published by github-actions[bot] almost 3 years ago
$X.map($F)
matches xs map f
profiling_times
object in --time --json
output for more fine"..."
(#3881)f(...)
and f($X)
correctly match f(x)
in f(x) { |n| puts n }
(#3880)switch
had no other statement following it, and the lastswitch
's default
case was a statement, such as throw
,break
switch
to not be resolved during the construction ofPublished by github-actions[bot] almost 3 years ago
Published by github-actions[bot] almost 3 years ago
synchronized
blocks in the dataflow IL (#4150)await
, yield
, &
, and other expressionsoptions:
with flddef_assign: true
(#4187)options:
witharrow_is_function: false
(#4187)options:
with let_is_var: false
x.f(y)
, if x
is a constant thencase object
within blockscase _x : Int => ...
sh
as an alias for bashcase class
within blocksmetavariable-comparison
: if a metavariable binds to a code variable that~
when resolving config pathsPublished by github-actions[bot] almost 3 years ago
semgrep --validate
runs metachecks on the rule(=> Int) => Int
Published by github-actions[bot] almost 3 years ago
import (... "error" ...)
o. ... .foo()
will nowo.foo()
.Published by github-actions[bot] about 3 years ago
--enable-metrics
flag is now always a flag, does not optionally take an argumentPublished by github-actions[bot] about 3 years ago
@interface
pattern (#4030)not_conflicting: true
. This affects the change made in 0.68.0- pattern: $F(...)
to work, but turned out to- pattern: $F(...)
is supported via the new not-conflicting sanitizers.Published by github-actions[bot] about 3 years ago
Published by github-actions[bot] about 3 years ago
raise
/throw
expressions in the dataflow engine and improvedtry-catch-finally
Published by github-actions[bot] about 3 years ago
semgrep --config ... <(...)
- pattern: $F(...)
for declaring that any othersource(...)
and built-in sanitizersanitize(...)
used for convenience during early development, this was causingsource
!p/ci
) use new rule cdn and do client-side hydrationPublished by github-actions[bot] about 3 years ago
options:
withattr_expr: false
(#3489)<... x ...>
now matches sub-expressions of statements-filter_irrelevant_rules
causing Semgrep to