Skip to main content

Python support

tip

Semgrep’s Python coverage leverages framework-specific analysis capabilities that are not present in Semgrep CE. As a result, many framework specific Pro rules will fail to return findings if run on Semgrep CE. To ensure full security coverage, run: semgrep login && semgrep ci.

Python support in Semgrep Code

Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code.

Analyses and frameworks

  • Framework-specific control flow analysis
  • Interfile analysis (cross-file)
  • Interprocedural analysis (cross-function)
  • All analyses performed by Semgrep CE

Coverage

Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses rules, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets.

By default, Semgrep Code provides you with the p/comment and p/default rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages.

In addition to rules, the Semgrep engine itself can analyze code and implicit dataflows in the context of the following supported frameworks:

Framework / libraryCategory
DjangoWeb framework
FlaskWeb framework
FastAPIWeb framework
In addition, Semgrep Code supports 100+ libraries & frameworks based on their overall popularity.
NoLibraryCategory
0bcryptCryptographic Library
1cryptographyCryptographic Library
2passlibCryptographic Library
3pycryptoCryptographic Library
4pycryptodomeCryptographic Library
5pycryptodomexCryptographic Library
6rsaCryptographic Library
7aiomysqlDatabase Library
8aiopgDatabase Library
9aiosqliteDatabase Library
10djangoDatabase Library
11djangoormDatabase Library
12mysql-connectorDatabase Library
13mysqldbDatabase Library
14peeweeDatabase Library
15pep249Database Library
16ponyormDatabase Library
17psycopg2Database Library
18pymongoDatabase Library
19pymssqlDatabase Library
20pymysqlDatabase Library
21pyodbcDatabase Library
22sqlalchemyDatabase Library
23sqlobjectDatabase Library
24dillDeserialization Library
25joblibDeserialization Library
26jsonpickleDeserialization Library
27langDeserialization Library
28numpyDeserialization Library
29pandasDeserialization Library
30pyyamlDeserialization Library
31ruamelDeserialization Library
32ruamel.yamlDeserialization Library
33torchDeserialization Library
34aiofileFile System Library
35djangoFile System Library
36fileinputFile System Library
37fsFile System Library
38ioFile System Library
39linecacheFile System Library
40openpyxlFile System Library
41osFile System Library
42pickleshareFile System Library
43pillowFile System Library
44shelveFile System Library
45shutilFile System Library
46stdlibFile System Library
47stdlib2File System Library
48stdlib3File System Library
49tempfileFile System Library
50tomlFile System Library
51ldap3LDAP Library
52stdlibLibrary With Code Execution Capabilities
53stdlib2Library With Code Execution Capabilities
54stdlib3Library With Code Execution Capabilities
55aiohttpNetwork Library
56boto3Network Library
57botocoreNetwork Library
58httplib2Network Library
59httpxNetwork Library
60paramikoNetwork Library
61pycurlNetwork Library
62requestsNetwork Library
63urllib3Network Library
64commandsOS Interaction Library
65dotenvOS Interaction Library
66osOS Interaction Library
67paramikoOS Interaction Library
68popen2OS Interaction Library
69stdlibOS Interaction Library
70stdlib2OS Interaction Library
71stdlib3OS Interaction Library
72subprocessOS Interaction Library
73libxml2Regex Library
74reRegex Library
75regexRegex Library
76stdlibRegex Library
77stdlib2Regex Library
78stdlib3Regex Library
79aws-lambdaServerless Framework
80aiohttpWeb Framework
81cherrypyWeb Framework
82djangoWeb Framework
83django-crispy-formsWeb Framework
84django_allauthWeb Framework
85django_channelsWeb Framework
86django_rest_frameworkapiWeb Framework
87fastapiWeb Framework
88flaskWeb Framework
89flask-jwt-extendedWeb Framework
90flask-loginWeb Framework
91flask-sessionWeb Framework
92flask-talismanWeb Framework
93flask-wtfWeb Framework
94langWeb Framework
95pyramidWeb Framework
96starletteWeb Framework
97wtformsWeb Framework
98libxml2XML Parsing Library
99lxmlXML Parsing Library
100saxXML Parsing Library
101stdlibXML Parsing Library
102stdlib2XML Parsing Library
103stdlib3XML Parsing Library
104xmlXML Parsing Library
105xml.domXML Parsing Library
106xml.dom.minidomXML Parsing Library
107xml.dom.pulldomXML Parsing Library
108xml.etreeXML Parsing Library
109xml.saxXML Parsing Library

Benchmark results exclusive of AI processing

Semgrep's benchmarking process involves scanning open source repositories, triaging the findings, and making iterative rule updates. This process was developed and is used internally by the Semgrep security research team to monitor and improve rule performance.

Results as of September 9, 2024:

Benchmark true positive rate (before AI processing) for latest ruleset84%
Lines of code scanned~20 million
Repositories scanned192
Findings triaged to date~1000

Python support in Semgrep Supply Chain

Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.

Supported package managers

Semgrep supports the following Python package managers:

  • pip
  • pip-tools
  • Pipenv
  • Poetry

Analyses and features

The following analyses and features are available for Python:

Reachability analysis

Reachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable.

License detection

Semgrep Supply Chain's license compliance feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. Semgrep can help enforce this restriction.

Malicious dependency detection

Semgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs).

SBOM generation

Semgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform.

Python support in Semgrep CE

Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine.

Analyses

  • Single-file, cross-function constant propagation
  • Single-function taint analysis
  • Semantic analysis

Coverage

tip
  • Check the license of a rule to ensure it meets your licensing requirements. See Licensing for more details.

The Semgrep Registry provides the following JavaScript rulesets:

Sample usage:

semgrep scan --config p/python

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.