Use Semgrep patterns

What is Semgrep?

Semgrep is an open-source, lightweight static analysis tool for code. Semgrep aims to help developers identify security vulnerabilities, bugs, and potential issues in their code by scanning it for patterns and expressions. The tool supports 30+ programming languages, including Python, JavaScript, Go, among others. The complete list of supported languages is available here.

Semgrep's name is derived from "semantic grep" as it extends the functionality of traditional grep UNIX command to encompass abstract syntax trees (ASTs) and the semantic structure of code rather than merely searching for text patterns.

One key feature is defining custom rules using a simple YAML-based syntax. With Packmind, you can define custom rules for your best practice, when it's possible to define one. It offers a more advanced mechanism in comparison to the regular expressions.

Get started with Semgrep rules

The best way to learn to write Semgrep rules is to check the Semgrep documentation.

The doc center also offers an interactive tutorial to write your first rules. You can browse the public registry to explore rules and examples of patterns.

Finally, reach the #support channel in our public Slack to get support, we'd be happy to help you in writing your rules 👍

Configure Semgrep patterns for your best practices

To add a Semgrep pattern to a best practice, open it and click on the Configure Automatic Suggestion link to open this window, and click on the button Add a Semgrep configuration.

You'll get this configuration panel where you're invited to write the Semgrep patterns section of the rule:

As you can see, only a sub-part of a full Semgrep rule description is needed. If we consider a complete Semgrep rule, only the pattern / patterns section is required:

rules:
  - id: Example rule
    message: Semgrep found a match
    languages:
      - python
    severity: WARNING
############## All above is handled by internally Packmind. 
##############Just input the part below in the Packmind UI editor
    pattern: print("...")

You'll need the specify the target programming language of the rule. Indeed, inversely to regular expressions, Semgrep is aware of the code structure for its supported languages.

Before saving a rule, Packmind will check whether the configuration is valid. A message Pattern is invalid. will indicate your pattern must be fixed.

Example of Semgrep patterns

[HTML] All button tags should have the attribute type="button"

    patterns:
      - pattern: <button ...>...</button>
      - pattern-not: <button type="button" ...>...</button>

[JavaScript] Don't allow functions parameters to be reassigned

patterns:
  - pattern: |
      function $F (..., $X, ...) {
          ...
          $X = ...
          ...
      }

[Java] A class with a Listener field should contain both .subscribe() and .unsubscribe() calls in the class

patterns:
  - pattern: |
      class $CLASS {
        ...
        Listener $L;
        ...
        $X $ME (...) {
          ...
          $L.subscribe();
          ...
        }
        ...
      }
  - pattern-not: |
      class $CLASS {
        ...
        Listener $L;
        ...
        $X $ME2 (...) {
          ...
          $L.unsubscribe();
          ...
        }
        ...
      }
  - focus-metavariable:
      - $L

[Java] A class with name starting with UseCase should not import modules from the infra layer

patterns:
  - pattern: |
      import $I;
      ...
      class $CLASS {
        ...
      }
  - metavariable-regex:
      metavariable: $CLASS
      regex: UseCase.*
  - metavariable-regex:
      metavariable: $I
      regex: .*\.infra\..*
  - focus-metavariable: $I

Other examples are available on the public Semgrep Registry.