Skip to main content

DeepSemgrep overview

Introduction

Improve your scan results for entire codebases with interfile coding paradigms using DeepSemgrep instead of Semgrep's regular intrafile (within-a-single-file) approach. DeepSemgrep empowers you to easily scan whole repositories that have object-oriented programming paradigms with classes in different files to find vulnerabilities in your code. DeepSemgrep is a proprietary extension of free and open source Semgrep which leverages global analysis tools, and uses the same rules as Semgrep.

DeepSemgrep language support

Refer to Supported languages to see languages supported by DeepSemgrep.

Installing DeepSemgrep

To enable DeepSemgrep installation, schedule a product demo by following these steps:

  1. Submit your email using the DeepSemgrep beta form.
  2. Follow the steps and instructions in the email you receive from the Semgrep team and schedule a product demo.

After your product demo, you'll get access to a new ruleset! Follow the instructions below to get your findings.

Prerequisite

To install DeepSemgrep, follow these steps:

  1. Log in to Semgrep CLI with the following command:
    semgrep login
  2. Follow the link that Semgrep printed in the command line.
  3. To install DeepSemgrep, use the following command:
    semgrep install-semgrep-pro
  4. To test DeepSemgrep, use the following command in the root directory of the codebase to scan:
    semgrep --deep --config "p/deepsemgrep" --dataflow-traces
    The p/deepsemgrep is a DeepSeemgrep-specific ruleset to which you gained access after your product demo.
  5. Optional: We appreciate your help gathering data as we improve DeepSemgrep! If you are fine with sending r2c usage metrics, run the command with --time --metrics on:
    semgrep --deep --config "p/deepsemgrep" --dataflow-traces --time --metrics on
    See Semgrep Privacy Policy for details of what is being sent to r2c.
note

Let us know what you think about the results in the Semgrep Community Slack.

Additional information

Difference between DeepSemgrep and join mode

DeepSemgrep is different from join mode, which also allows you to perform interfile analyses by letting you join on the metavariable matches in separate rules.

Future development of DeepSemgrep

We’re excited to hear what’s on your mind. As users explore the limits of DeepSemgrep, we want to know what they’re failing to express. We believe that interfile type inference, constant propagation, and taint tracking combined allow users to express most restrictions on a program and enforce them quickly. Let us know what you think about the results in the Semgrep Community Slack.


Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.