announcements

Announcing Semgrep’s support for Go in Pro Engine

We’re adding support for Go in our Pro Engine with 50+ new Go rules covering several popular Go frameworks!

go for pro thumbnail

A few months ago, we launched Semgrep Pro Engine, which added cross-file analysis for Java and JavaScript into Semgrep Code. Since then, we’ve received overwhelmingly positive support from Pro Engine users to find and fix more complex vulnerabilities across more languages. We are excited to announce that Semgrep Pro Engine now supports Go (Golang) for cross-file analysis.

Go is an increasingly popular programming language due to its speed and ease of use. However, like all languages, it is not immune to bugs and vulnerabilities. With this new addition, Semgrep continues to expand its language coverage and provide accurate, fast, and customizable code analysis tools for security engineers and developers.

We’re also adding 50+ new Go rules covering several popular Go frameworks, including Gin, gRPC, Gorilla, and plain ol’ net/http. We’ve also added new rules for hardcoded secrets to ensure none of those meddling kids secrets make their way into production. Here is an example of a new rule for command injection you can check out!

To get started with Semgrep Pro Engine’s new Go support:

  • In Semgrep Code, add a GitHub or GitLab project and have Semgrep scan your codebase whenever a pull request (PR) or a merge request (MR) is created! Make sure the default ruleset is on your Rule Board & you have the Pro Engine enabled in Settings (as shown below).

default ruleset rule boardsettings page pro engine

  • On the command line, upgrade to Semgrep v1.22.0 or higher and scan with semgrep --pro p/default

We are committed to improving Semgrep's coverage and making it the Go-to code analysis tool across all programming languages.

What language would you like to see Semgrep Pro Engine support next? Join our Community Slack and let us know!

About

Semgrep Logo

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.

Get started in minutesBook a demo