announcements

Announcing Semgrep’s beta support for Rust

Programming language, or cult following?

Announcing Semgrep’s beta support for Rust thumbnail

Hey, I'm a Security Engineer at Red Canary, and a guest author here. I'm interested in all things automated program analysis. Fuzzing, static analysis, dynamic analysis, you name it. In short, making the computer sweat, so you don't have to.

Rust is on a meteoric rise within the tech community. It was voted "Most Loved" programming language for the 7th year in a row in the 2022 Stack Overflow Developer Survey. In fact, just this morning I was reading another article evangelizing Rust: How Rust went from a side project to the world’s most-loved programming language. Rust is also beginning to see adoption in the enterprise space. Red Canary, my employer, has forgone C and all its security baggage, and instead chosen Rust for implementing our Linux EDR sensor.

Now, Rust is not a panacea. It can still have security bugs. To that end, we use Semgrep to help ensure our Rust code is secure on every commit. As a big believer in open source, we also saw an opportunity to contribute back to the community and work with r2c to improve Semgrep's Rust support to beta. For that, I thank Red Canary for giving me the time to contribute the first Rust rules to the Semgrep community. That was the easy part. I'd also like to give a shout out to the one, the only, Yoann Padioleau for improving Semgrep's parsing and feature support for Rust.

So, go ahead, find all those unsafe blocks and air out those skeletons in the closet:

Semgrep’s Rust beta support was released in v1.10.0. To scan your Rust code:

On the command line, upgrade to Semgrep v1.10.0 or higher (often using brew upgrade semgrep or pip install --upgrade semgrep) and scan your Rust code with semgrep --config=auto or semgrep --config=p/rust.

About

Semgrep Logo

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.

Get started in minutesBook a demo