Use Semgrep patterns

Since Promyze 4.12.0 (released in May 2023), it's possible to write Semgrep patterns to detect best practices.

What is Semgrep? 
Semgrep is an open-source, lightweight static analysis tool for code. Semgrep aims to help developers identify security vulnerabilities, bugs, and potential issues in their code by scanning it for patterns and expressions. The tool supports  30+ programming languages, including Python, JavaScript, Go, among others. The complete list of supported languages is available here.
Semgrep's name is derived from "semantic grep" as it extends the functionality of traditional grep UNIX command to encompass abstract syntax trees (ASTs) and the semantic structure of code rather than merely searching for text patterns.
One key feature is defining custom rules using a simple YAML-based syntax. With Promyze, you can define custom rules for your best practice, when it's possible to define one. It offers a more advanced mechanism in comparison to the regular expressions. 
Get started with Semgrep rules 
The best way to learn to write Semgrep rules is to check the Semgrep documentation. 
The doc center also offers an interactive tutorial to write your first rules. You can browse the public registry to explore rules and examples of patterns. 
Finally, reach the #support channel in our public Slack to get support, we'd be happy to help you in writing your rules 👍
​
Configure Semgrep patterns for your best practices
To add a Semgrep pattern to a best practice, open it and click on the Configure Automatic Suggestion link to open this window, and click on the button Add a Semgrep configuration.
You'll get this configuration panel where you're invited to write the Semgrep patterns section of  the rule:
As you can see, only a sub-part of a full Semgrep rule description is needed. If we consider a complete Semgrep rule, only the pattern / patterns section is required:
rules:
  - id: Example rule
    message: Semgrep found a match
    languages:
      - python
    severity: WARNING
############## All above is handled by internally Promyze. 
##############Just input the part below in the Promyze UI editor
    pattern: print("...")
​
You'll need the specify the target programming language of the rule. Indeed, inversely to regular expressions, Semgrep is aware of the code structure for its supported languages. 
Before saving a rule, Promyze will check whether the configuration is valid. A message Pattern is invalid. will indicate your pattern must be fixed.
Example of Semgrep patterns
[HTML] All button tags should have the attribute type="button"
    patterns:
      - pattern: <button ...>...</button>
      - pattern-not: <button type="button" ...>...</button>
[JavaScript] Don't allow functions parameters to be reassigned
patterns:
  - pattern: |
      function $F (..., $X, ...) {
          ...
          $X = ...
          ...
      }
[Java] A class with a Listener field should contain both .subscribe()  and .unsubscribe() calls in the class
patterns:
  - pattern: |
      class $CLASS {
        ...
        Listener $L;
        ...
        $X $ME (...) {
          ...
          $L.subscribe();
          ...
        }
        ...
      }
  - pattern-not: |
      class $CLASS {
        ...
        Listener $L;
        ...
        $X $ME2 (...) {
          ...
          $L.unsubscribe();
          ...
        }
        ...
      }
  - focus-metavariable:
      - $L
[Java] A class with name starting with UseCase should not import modules from the infra layer
patterns:
  - pattern: |
      import $I;
      ...
      class $CLASS {
        ...
      }
  - metavariable-regex:
      metavariable: $CLASS
      regex: UseCase.*
  - metavariable-regex:
      metavariable: $I
      regex: .*\.infra\..*
  - focus-metavariable: $I
Other examples are available on the public Semgrep Registry.

Examples of automatic suggestions configurations

The dedicated dashboard

Last modified 18d ago