Skip to main content

Contributing code

Semgrep welcomes contributions from anyone. If you have an idea for a feature or notice a bug please open an issue. Creating an issue first is preferable to moving directly to a pull request so that we can ensure you're on the right track without any wasted effort. This is also a great way to contribute to Semgrep even if you're not making changes yourself.

This README gives an overview of the repository. For further information on building, you will be directed to semgrep-core contributing and/or semgrep-cli contributing in Making a Change.

File structure

Semgrep consists of a Python wrapper (semgrep-cli) around an OCaml engine (semgrep-core) which performs the core parsing/matching work. Within semgrep-core, there are two sources of parsers, pfff and tree-sitter-lang using tree-sitter. Additionally, semgrep-core contains a subengine, spacegrep, for generic matching.

You may also be interested in perf, which contains our code for running repositories against specific rulesets.

There are many other files, but the below diagram broadly displays the file structure.

├── cli/ (Python wrapper)
│ └── src/
│ └── semgrep/

├── src/ (semgrep-core)
│ │── analyzing/ (Dataflow analysis)
│ │── core_cli/ (Entrypoint for semgrep-core)
│ └── matching/ (Matching engine)

├── languages/ (Language parsers)

├── libs/ (Library components)
│ │── ast_generic/ (Generic AST)
│ └── spacegrep/ (Generic matching)

└── perf/ (Performance benchmarking)

Most of Semgrep's logic is in cli/src and src.

Code relationship

The semgrep-core binary stands alone. Once built, it is possible to run semgrep-core on a semgrep rule for a given language with a file/directory and receive matches.

For example, say you create the config file unsafe-exec.yaml and the program

- id: unsafe-exec
pattern: exec(...);
message: Avoid use of exec; it can lead to a remote code execution.
severity: WARNING
languages: [python]

If you run semgrep-core -config unsafe-exec.yaml -lang python, it will output with rule unsafe-exec

If you run semgrep --config unsafe-exec.yaml, it will output

running 1 rules...
severity:warning rule:unsafe-exec: Avoid use of exec; it can lead to a remote code execution.
ran 1 rules on 1 files: 1 findings

The matched code is the same, but with semgrep-cli the output is more polished and includes the message.

semgrep-cli invokes the semgrep-core binary as a subprocess, with a flag to request JSON output. It reads the semgrep-core output and transforms it appropriately.

Currently, depending on the flags used, spacegrep is invoked both independently by semgrep-cli as a subprocess and by semgrep-core as a subfolder. Therefore, semgrep-cli requires the spacegrep binary, but building semgrep-core will build spacegrep as well.

Making a change

Semgrep runs on Python versions >= 3.7. If you don't have one of these versions installed, please do so before proceeding.

Because the Python and OCaml development paths are relatively independent, the instructions are divided into Python (semgrep-cli contributing) and OCaml (semgrep-core contributing).

To fully build Semgrep from source, start at semgrep-core contributing. It will direct you to semgrep-cli contributing when appropriate.

Depending on what change you want to make, it might be simpler to build only semgrep-cli or only semgrep-core. For example, if you only want to modify Python code, you can skip installing OCaml by downloading binaries for the OCaml parts. Similarly, if you only want to modify OCaml code, you can work on semgrep-core/spacegrep directly.

If you only want to build semgrep-cli, go straight to semgrep-cli contributing. Otherwise, follow the instructions in semgrep-core contributing.

Below is a guide for what functionality each of semgrep-cli and semgrep-core controls.

Only semgrep-cli

The python code for Semgrep performs pre and post-processing work. You likely need to touch only semgrep-cli if you want to affect

  • How output is formatted
  • What files are scanned for each language
  • The message that is displayed

Go to semgrep-cli contributing

Only semgrep-core

The OCaml code for Semgrep performs all the parsing and matching work. You likely need to touch only semgrep-core if you want to

  • Fix a parse error
  • Fix a matching error
  • Improve Semgrep's performance

Go to semgrep-core contributing

Both semgrep and semgrep-core

There are some features that cross through both OCaml and Python code. You will likely need to touch both semgrep-cli and semgrep-core if you want to

  • Fix an autofix error
  • Add a new language
  • Change error reporting

Go to semgrep-core contributing. It will direct you to semgrep-cli contributing when appropriate.

Development workflow

Before each commit Semgrep will run pre-commit to ensure files are well-formatted and check for basic linting bugs. If you don't have pre-commit installed the following command will do so for you:

python -m pip install pre-commit

Our pre-commit configuration uses Docker images. Please ensure you have Docker installed before running pre-commit. Install the pre-commit hooks with the following command:

pre-commit install

To ensure pre-commit is working as expected, run the following command:

pre-commit run --all

Once pre-commit is working you may commit code and create pull requests as you would expect. Pull requests require approval of at least one maintainer and CI to be passing.

Explaining code

It's important for code to be easy to maintain. This allows all of us to spend more time on new features rather than spending it on studying legacy code. As a general rule of thumb, assume that all context that is not written down will be lost and forgotten. Useful context includes:

  • Why does this code exist?
  • What or who uses this code?
  • What does this code achieve?
  • Could this code be replaced by an off-the-shelf component? Why not?
  • Does it implement a formal specification or a well-known pattern? Where can we learn more about it?

We ask that each source file start with one comment that concisely answers these questions.

Here's a short example:

Generate unique names with a given prefix.

It can be improved by explaining the code's uses:

Generate unique names with a given prefix. This is used to
name new grammar rules and new OCaml variables.

Adding a changelog entry

Quick reference

Add a new file named like changelog.d/gh-1234.fixed that contains a single paragraph of Markdown text such as:

Fix emojis absorbed by the fleeb generator

File name format:

^^^^ ^^^^^
| |
| one of: "added", "changed", "fixed", "infra"
GitHub issue or pull request ID

Valid changelog file suffixes are:

  • added - New features or other previously non-existing functionality
  • changed - Items that have changed the way Semgrep functions
  • fixed - Bug fixes or other improvements
  • infra - Workflow improvements or other non-code updates

When to add a changelog entry

If you contribute code that affects users, you must add an entry to the changelog, in the changelog.d folder. At each Semgrep release, these files are automatically gathered and formatted to produce release notes.

A changelog entry is required if you are:

  • Adding new features or other previously non-existing functionality.
  • Including important changes in the way Semgrep functions.
  • Submitting bug fixes or other improvements.
  • Creating workflow improvements or other non-code updates.

A tool called towncrier is used for changelog management.

Troubleshooting pre-commit

On M1 macs some pre-commit tests may fail.

If those checks are running in docker containers (such as hadolint) and exit with code 137, this means they are running into a memory limit. This is because for running x86_64 images on an M1 mac, docker will utilize an emulation with qemu that can cause higher memory consumption. To fix this, change the memory limit in Docker Desktop in the Resources section of the Preferences, 8.00GB should be sufficient.

Working with git submodules

A submodule is a reference to a specific commit in another git repository. This results in a subfolder containing a checkout of that repository at that particular commit. Submodules have a reputation of being tricky to use. To minimize problems, make sure to follow these guidelines:

  • When checking out a new branch or commit, update the submodules using the command git submodule update --init --recursive. Adding a shortcut to your shell can be useful. The following is a Bash function that lets you call gitup. It goes into your ~/.bashrc:
gitup() {
echo "git submodule update --init --recursive"
git submodule update --init --recursive
  • When modifying both a parent repo A and one of its submodules B, make one pull request for each (PR A, PR B).
    1. Before merging PR B, make sure the branch on repo B is not lagging behind the main branch. This ensures that the submodule includes all the latest changes made by others.
    2. Make sure PR B is merged before PR A. This ensures that other developers will pick up the changes on B when making their own changes.
    3. After merging PR A, check that submodule B is still up-to-date with respect to its main branch, especially if PR B was merged more than an hour ago. Good to know:
    • Merging in B can be done with a merge commit or by squashing the commits.
    • If squashing commits in B, you must know that the original commit referenced by A becomes orphaned when the branch is deleted but remains cached by git for a while. This is usually sufficient to not require A to point to the newly-squashed commit. If this turns out to be problematic in practice, we may have to disallow commit squashing in the future.