Semgrep’s weekly release cadence lets us ship features quickly, but it falls short when it comes to highlighting larger features. This post looks back through the last few months to highlight the biggest new features that landed.
If you need a reminder: Semgrep is a fast, open-source static analysis tool for finding bugs and enforcing code standards. Semgrep App is a hosted application that helps your team make the most of Semgrep.
Static analysis tools are a key component of a modern security program and are used to analyze source code for vulnerabilities. However, SAST tools are often noisy, producing false positives and false negatives, because every organization’s use case, technology stack, and deployment platform is unique. Addressing the noise in such SAST tools can be a waste of already limited security team and developer time.
Semgrep is simple to tune and highly customizable; you can write rules specific to your use case in minutes, minimizing noise as well as deploying Semgrep in your preferred SCM tool. With Semgrep’s May launch, we’re introducing:
DeepSemgrep (in private beta): a proprietary Semgrep extension that makes the engine give even more accurate results
New Playground: an overhaul of the Semgrep Playground for easier rule-writing
GitHub Enterprise & GitLab Self-Managed Support: Semgrep can now leave PR and MR comments on these platforms
DeepSemgrep
Semgrep’s design philosophy is to be fast and simple. That is why we focused on single-file analysis. However, many of you have asked for an extension to Semgrep that analyzes across files, because complex vulnerabilities often involve behavior that is only detectable when several source files are considered simultaneously. Recognizing the value of deeper vulnerability detection, today we're announcing DeepSemgrep for Java and Ruby. It's a proprietary extension to Semgrep that uses the exact same rules but performs deeper cross-file analysis. This analysis takes longer, but returns better results with zero rule changes.
For security engineers, this means:
fewer false negatives, for instance, with interfile constant propagation
fewer false positives (Semgrep can find more matches to a pattern), for instance, by proving that a variable resolves to a compile-time constant imported from another file or making taint analysis work interfile
We're thrilled to partner with early users and push Semgrep's analysis capabilities even further. If you'd like to join the private beta, request access here.
Feature Comparison
| Semgrep | DeepSemgrep | |
|---|---|---|
| All existing Semgrep features (join mode, within-file taint mode, etc.) | yes | yes |
| Analyze across multiple files | no | yes |
| → Interfile constant propagation | no | yes |
| → Interfile type inference | no | yes |
| → Interfile taint tracking | no | yes |
| License | LGPL 2.1 | proprietary |
| Rule syntax & schema | no difference | no difference |
| Languages supported | 24+ languages |
New Playground
Since the beginning, the Playground has been most users’ introduction to Semgrep rule writing. It’s the place where you can easily write rules, run them against your test code, and iterate on the results.
While the Playground is extremely popular, we’ve heard from the community that users want to see their rules and code side-by-side, have a more “developer-native” workflow (such as the ability to fork, save, and share rules), and have easy access to the Registry, much like is already possible in the Editor.
With this launch, we are making the Playground’s experience consistent with the Editor, so that you can access benefits of the Editor. The new Playground takes advantage of the Editor rule writing improvements and unifies these two feature’s so that bug fixes and development happen together.
Figure 1: New Playground (before signing in)
Figure 2: New Playground (after signing in)
Signing into the new Playground unlocks benefits such as saving a rule, sharing it, adding it to your Rule Board, etc. For more information, check out the documentation.
The old Playground will still be available and can be accessed using the top-right menu.
GitHub Enterprise and GitLab Self-Managed support
Semgrep can already be easily deployed on GitHub (Free, Pro, and Team) and GitLab SaaS. Today, we’re adding support for both GitHub Enterprise and GitLab Self-Managed for our Team-tier users. With this support, Semgrep App can now leave inline pull and merge request comments about security issues when scanning projects on GitHub Enterprise and GitLab Self-Managed.
Figure 3: Inline PR comment in GitHub Enterprise
But wait, there’s more!
This launch also includes -
Autofix - Semgrep App users can now enable GitHub/GitLab Autofix suggestions to surface findings to developers in Semgrep’s pull and merge request comments, enabling them to accept code fixes from within the Github/GitLab UI.
Figure 4: Autofix in Semgrep App
Default Ruleset (experimental) - Semgrep App now comes with a default ruleset that will provide the best results out-of-the-box without any additional configuration.
Figure 5: Default ruleset
Conclusion
A strong community of security engineers already appreciates Semgrep as an outstanding tool to find security vulnerabilities. Together, we’re working to make Semgrep even better. With the addition of features such as DeepSemgrep, the new Playground, and the support for GitHub Enterprise and GitLab Self-Managed, Semgrep moves closer to being the defacto static analysis tool used by security teams everywhere.
Please contact us if you’d like to learn more about deploying Semgrep in GitHub Enterprise or GitLab Self-Managed. If you’re excited about DeepSemgep, you can be among the first to get access to it!
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.
