Python support
Semgrep’s Python coverage leverages framework-specific analysis capabilities that are not present in Semgrep CE. As a result, many framework specific Pro rules will fail to return findings if run on Semgrep CE. To ensure full security coverage, run: semgrep login && semgrep ci
.
Python support in Semgrep Code
Semgrep Code is a static application security testing (SAST) tool that detects security vulnerabilities in your first-party code.
Analyses and frameworks
- Framework-specific control flow analysis
- Interfile analysis (cross-file)
- Interprocedural analysis (cross-function)
- All analyses performed by Semgrep CE
Coverage
Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses rules, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets.
By default, Semgrep Code provides you with the p/comment
and p/default
rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages.
In addition to rules, the Semgrep engine itself can analyze code and implicit dataflows in the context of the following supported frameworks:
Framework / library | Category |
Django | Web framework |
Flask | Web framework |
FastAPI | Web framework |
In addition, Semgrep Code supports 100+ libraries & frameworks based on their overall popularity.
No | Library | Category |
---|---|---|
0 | bcrypt | Cryptographic Library |
1 | cryptography | Cryptographic Library |
2 | passlib | Cryptographic Library |
3 | pycrypto | Cryptographic Library |
4 | pycryptodome | Cryptographic Library |
5 | pycryptodomex | Cryptographic Library |
6 | rsa | Cryptographic Library |
7 | aiomysql | Database Library |
8 | aiopg | Database Library |
9 | aiosqlite | Database Library |
10 | django | Database Library |
11 | djangoorm | Database Library |
12 | mysql-connector | Database Library |
13 | mysqldb | Database Library |
14 | peewee | Database Library |
15 | pep249 | Database Library |
16 | ponyorm | Database Library |
17 | psycopg2 | Database Library |
18 | pymongo | Database Library |
19 | pymssql | Database Library |
20 | pymysql | Database Library |
21 | pyodbc | Database Library |
22 | sqlalchemy | Database Library |
23 | sqlobject | Database Library |
24 | dill | Deserialization Library |
25 | joblib | Deserialization Library |
26 | jsonpickle | Deserialization Library |
27 | lang | Deserialization Library |
28 | numpy | Deserialization Library |
29 | pandas | Deserialization Library |
30 | pyyaml | Deserialization Library |
31 | ruamel | Deserialization Library |
32 | ruamel.yaml | Deserialization Library |
33 | torch | Deserialization Library |
34 | aiofile | File System Library |
35 | django | File System Library |
36 | fileinput | File System Library |
37 | fs | File System Library |
38 | io | File System Library |
39 | linecache | File System Library |
40 | openpyxl | File System Library |
41 | os | File System Library |
42 | pickleshare | File System Library |
43 | pillow | File System Library |
44 | shelve | File System Library |
45 | shutil | File System Library |
46 | stdlib | File System Library |
47 | stdlib2 | File System Library |
48 | stdlib3 | File System Library |
49 | tempfile | File System Library |
50 | toml | File System Library |
51 | ldap3 | LDAP Library |
52 | stdlib | Library With Code Execution Capabilities |
53 | stdlib2 | Library With Code Execution Capabilities |
54 | stdlib3 | Library With Code Execution Capabilities |
55 | aiohttp | Network Library |
56 | boto3 | Network Library |
57 | botocore | Network Library |
58 | httplib2 | Network Library |
59 | httpx | Network Library |
60 | paramiko | Network Library |
61 | pycurl | Network Library |
62 | requests | Network Library |
63 | urllib3 | Network Library |
64 | commands | OS Interaction Library |
65 | dotenv | OS Interaction Library |
66 | os | OS Interaction Library |
67 | paramiko | OS Interaction Library |
68 | popen2 | OS Interaction Library |
69 | stdlib | OS Interaction Library |
70 | stdlib2 | OS Interaction Library |
71 | stdlib3 | OS Interaction Library |
72 | subprocess | OS Interaction Library |
73 | libxml2 | Regex Library |
74 | re | Regex Library |
75 | regex | Regex Library |
76 | stdlib | Regex Library |
77 | stdlib2 | Regex Library |
78 | stdlib3 | Regex Library |
79 | aws-lambda | Serverless Framework |
80 | aiohttp | Web Framework |
81 | cherrypy | Web Framework |
82 | django | Web Framework |
83 | django-crispy-forms | Web Framework |
84 | django_allauth | Web Framework |
85 | django_channels | Web Framework |
86 | django_rest_frameworkapi | Web Framework |
87 | fastapi | Web Framework |
88 | flask | Web Framework |
89 | flask-jwt-extended | Web Framework |
90 | flask-login | Web Framework |
91 | flask-session | Web Framework |
92 | flask-talisman | Web Framework |
93 | flask-wtf | Web Framework |
94 | lang | Web Framework |
95 | pyramid | Web Framework |
96 | starlette | Web Framework |
97 | wtforms | Web Framework |
98 | libxml2 | XML Parsing Library |
99 | lxml | XML Parsing Library |
100 | sax | XML Parsing Library |
101 | stdlib | XML Parsing Library |
102 | stdlib2 | XML Parsing Library |
103 | stdlib3 | XML Parsing Library |
104 | xml | XML Parsing Library |
105 | xml.dom | XML Parsing Library |
106 | xml.dom.minidom | XML Parsing Library |
107 | xml.dom.pulldom | XML Parsing Library |
108 | xml.etree | XML Parsing Library |
109 | xml.sax | XML Parsing Library |
Benchmark results exclusive of AI processing
Semgrep's benchmarking process involves scanning open source repositories, triaging the findings, and making iterative rule updates. This process was developed and is used internally by the Semgrep security research team to monitor and improve rule performance.
Results as of September 9, 2024:
Benchmark true positive rate (before AI processing) for latest ruleset | 84% |
Lines of code scanned | ~20 million |
Repositories scanned | 192 |
Findings triaged to date | ~1000 |
Python support in Semgrep Supply Chain
Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.
Supported package managers
Semgrep supports the following Python package managers:
- pip
- pip-tools
- Pipenv
- Poetry
Analyses and features
The following analyses and features are available for Python:
- Reachability analysis
Reachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable.
- License detection
Semgrep Supply Chain's license compliance feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. Semgrep can help enforce this restriction.
- Malicious dependency detection
Semgrep is able to detect malicious dependencies in your projects and in pull requests (PRs) or merge requests (MRs).
- SBOM generation
Semgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform.
Python support in Semgrep CE
Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine.
Analyses
- Single-file, cross-function constant propagation
- Single-function taint analysis
- Semantic analysis
Coverage
- Check the
license
of a rule to ensure it meets your licensing requirements. See Licensing for more details.
The Semgrep Registry provides the following JavaScript rulesets:
Sample usage:
semgrep scan --config p/python
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.