Use Semgrep patterns
Since Promyze 4.12.0 (released in May 2023), it's possible to write Semgrep patterns to detect best practices.
Semgrep is an open-source, lightweight static analysis tool for code. Semgrep aims to help developers identify security vulnerabilities, bugs, and potential issues in their code by scanning it for patterns and expressions. The tool supports 30+ programming languages, including Python, JavaScript, Go, among others. The complete list of supported languages is available here.
Semgrep's name is derived from "semantic grep" as it extends the functionality of traditional
grep
UNIX command to encompass abstract syntax trees (ASTs) and the semantic structure of code rather than merely searching for text patterns.One key feature is defining custom rules using a simple YAML-based syntax. With Promyze, you can define custom rules for your best practice, when it's possible to define one. It offers a more advanced mechanism in comparison to the regular expressions.
The doc center also offers an interactive tutorial to write your first rules. You can browse the public registry to explore rules and examples of patterns.
Finally, reach the
#support
channel in our public Slack to get support, we'd be happy to help you in writing your rules 👍
To add a Semgrep pattern to a best practice, open it and click on the Configure Automatic Suggestion link to open this window, and click on the button Add a Semgrep configuration.

You'll get this configuration panel where you're invited to write the Semgrep patterns section of the rule:

As you can see, only a sub-part of a full Semgrep rule description is needed. If we consider a complete Semgrep rule, only the
pattern / patterns
section is required:rules:
- id: Example rule
message: Semgrep found a match
languages:
- python
severity: WARNING
############## All above is handled by internally Promyze.
##############Just input the part below in the Promyze UI editor
pattern: print("...")
You'll need the specify the target programming language of the rule. Indeed, inversely to regular expressions, Semgrep is aware of the code structure for its supported languages.
Before saving a rule, Promyze will check whether the configuration is valid. A message Pattern is invalid. will indicate your pattern must be fixed.
patterns:
- pattern: <button ...>...</button>
- pattern-not: <button type="button" ...>...</button>
patterns:
- pattern: |
function $F (..., $X, ...) {
...
$X = ...
...
}
patterns:
- pattern: |
class $CLASS {
...
Listener $L;
...
$X $ME (...) {
...
$L.subscribe();
...
}
...
}
- pattern-not: |
class $CLASS {
...
Listener $L;
...
$X $ME2 (...) {
...
$L.unsubscribe();
...
}
...
}
- focus-metavariable:
- $L
patterns:
- pattern: |
import $I;
...
class $CLASS {
...
}
- metavariable-regex:
metavariable: $CLASS
regex: UseCase.*
- metavariable-regex:
metavariable: $I
regex: .*\.infra\..*
- focus-metavariable: $I
Last modified 4mo ago