Skip to main content

JavaScript frameworks and analyses

tip

Semgrep’s JavaScript coverage leverages framework-specific analysis capabilities that are not present in OSS. As a result, many framework specific Pro rules will fail to return findings if run on OSS. To ensure full security coverage, run: semgrep login && semgrep ci.

Semgrep Code analyses

  • Framework-specific control flow analysis
  • Inter-file analysis (cross-file)
  • Inter-procedural analysis (cross-function)

Coverage

Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code.

In addition to rules, the Semgrep engine itself can analyze code and implicit dataflows in the context of the following supported frameworks:

Supported frameworksType of framework
ExpressWeb framework
KoaWeb framework
HapiWeb framework
NestJSWeb framework
Semgrep Code supports 50+ libraries & frameworks based on their overall popularity.
Supported librariesType of library
axiosNetwork library
nodemailNetwork library
node-fetchNetwork library
needleNetwork library
httpNetwork library
httpsNetwork library
netNetwork library
http2Network library
gotNetwork library
requestNetwork library
markedMarkdown library
dotTemplate engine
child-processOS interaction library
nestjsWeb framework
expressWeb framework
koaWeb framework
hapiWeb framework
sqliteDatabase library
sqlite3Database library
typeormDatabase library
mongooseDatabase library
mongodbDatabase library
knexDatabase library
mikro-ormDatabase library
@mikro-orm/coreDatabase library
@mikro-orm/better-sqliteDatabase library
@mikro-orm/entity-generatorDatabase library
@mikro-orm/knexDatabase library
@mikro-orm/libsqlDatabase library
@mikro-orm/mariadbDatabase library
@mikro-orm/migrations-mongodbDatabase library
@mikro-orm/migrationsDatabase library
@mikro-orm/mongodbDatabase library
@mikro-orm/mssqlDatabase library
@mikro-orm/mysqlDatabase library
@mikro-orm/postgresqlDatabase library
@mikro-orm/reflectionDatabase library
@mikro-orm/seederDatabase library
@mikro-orm/sqliteDatabase library
pgDatabase library
pg-nativeDatabase library
pg-poolDatabase library
mysqlDatabase library
mysql2Database library
sequelizeDatabase library
libxmlXML parsing library
xpathXML parsing library
puppeteerLibrary with code execution capabilities
vm2Library with code execution capabilities
vmLibrary with code execution capabilities
rimrafFile System Library
papaparseFile system library
fs-extraFile system library
fsFile system library
sharpFile system library
pathFile system library
webcryptoCryptographic library
cryptoCryptographic library
http-bodyExpress middleware
corsExpress middleware
express-sessionExpress middleware
helmetExpress middleware
@koa/corsKoa middleware
lodashUtility library
validatorString validation library
escape-string-regexpString sanitization library
date-fnsDate manipulation library
momentDate manipulation library
luxonDate manipulation library
dayjsfnsDate manipulation library
mongo-sanitizeString sanitization library
express-mongo-sanitizeString sanitization library

Benchmark results exclusive of AI processing

Semgrep's benchmarking process involves scanning open source repositories, triaging the findings, and making iterative rule updates. This process was developed and is used internally by the Semgrep security research team to monitor and improve rule performance.

Results as of February 25, 2025:

BenchmarkValue
True positive rate (before AI processing) for latest p/default ruleset63%
Lines of code scanned~8 million
Repositories scanned153
Findings triaged to date~600

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.