Rule updates

Welcome to monthly rule updates. This document includes selected new rules, removed or reduced number of false positives (FP) and false negatives (FN). These new rules and their updates are made by the Semgrep community and Semgrep, Inc.

February 2023

Community rules

Thanks to Sjord, @artem-fedorov and @gabriellesc for their contributions!

New rules from Semgrep community and Semgrep, Inc

• Improved coverage for security issues in Terraform: terraform.aws.security
• Additional rules for weak ciphers in Java: java.lang.security.audit.crypto
• Additional rules for inline JavaScript and related security issues:
  • html.security.audit.eval-detected.eval-detected
  • html.security.audit.inscure-document-method.insecure-document-method

Updated Community rules

• Added and improved autofix for many rules
• Improved patterns:
  • java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call
  • javascript.express.security.express-insecure-template-usage.express-insecure-template-usage
  • java.lang.security.audit.crypto.des-is-deprecated
  • java.lang.security.audit.crypto.no-null-cipher
  • java.lang.security.audit.crypto.rsa-no-padding
  • problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2
• Improved accuracy:
  • java.spring.security.injection.tainted-html-string.tainted-html-string
  • generic.secrets.gitleaks.generic-api-key.generic-api-key
  • contrib.nodejsscan.crypto_node.node_md5
  • contrib.nodejsscan.crypto_node.node_sha1
  • dockerfile.security.last-user-is-root.last-user-is-root
  • generic.dockerfile.security.last-user-is-root.last-user-is-root
  • generic.secrets.security.detected-npm-token.detected-npm-token
  • php.lang.security.injection.echoed-request.echoed-request
• Improved rule message:
  • java.security.spring.audit.spring-csrf-disabled.spring-csrf-disabled
  • contrib.nodejsscan.crypto_node.node_md5
  • contrib.nodejsscan.crypto_node.node_sha1
  • ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find
  • terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted
  • terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted
  • terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted
  • terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted
• Improved metadata:
  • ruby.lang.security.no-eval.ruby-eval
  • contrib.nodejsscan.crypto_node.node_md5
  • contrib.nodejsscan.crypto_node.node_sha1
  • ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find

Pro rules

New Pro rules

• Improved coverage for:
  • Deserialization issues in Java
  • Deserialization issues in Python
  • Weak hash algorithms in JavaScript
  • NoSQL injection in Java
  • NoSQL injection in JavaScript
  • ReDOS in JavaScript

January 2023

Community rules

New rules from Semgrep community and Semgrep, Inc

• Thanks johnssimon007! New rule for empty encryption key in Python: python.cryptography.security.empty-aes-key.empty-aes-key
• Thanks johnssimon007! New rule for header injection in Python/Flask: python.flask.security.audit.host-header-injection-python
• Additional rule for deserialization vulnerabilities in Ruby: ruby.lang.security.bad-deserialization-env.bad-deserialization-env
• Ported regex-based rules from Gitleaks

Updated Community rules

• Thanks @ben-elttam! FP reduction in Kubernetes rules:
  • yaml.kubernetes.security.run-as-non-root.run-as-non-root
  • yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value
• Thanks @artem-fedorov! OWASP metadata fixed for too many rules to list here!
• Thanks ianmuscat! FP reduction with additional patterns: generic.ci.security.use-frozen-lockfile.use-frozen-lockfile
• Thanks paisleyrob! FP reduction with improved patterns:
  • c.lang.security.use-after-free.use-after-free
  • c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn
• Thanks rc-JoshuaZepf! FP reduction with improved patterns: terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional
• Thanks nightshiba! FP reduction with improved patterns: javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape
• Thanks Sjord! FP reduction with improved patterns: php.lang.security.audit.assert-use-audit.assert-use-audit
• FP reduction with improved pattern for taint mode:
  • javascript.express.security.audit.express-ssrf.express-ssrf
  • java.spring.security.injection.tainted-file-path.tainted-file-path
  • java.spring.security.injection.tainted-system-command.tainted-system-command
  • ruby.lang.security.bad-deserialization-yaml.bad-deserialization-yaml
  • javascript.express.security.audit.xss.direct-response-write.direct-response-write
• FN reduction with improved patterns for taint mode:
  • java.spring.security.injection.tainted-file-path.tainted-file-path
  • java.spring.security.injection.tainted-html-string.tainted-html-string
  • java.spring.security.injection.tainted-sql-string.tainted-sql-string
  • java.spring.security.injection.tainted-system-command.tainted-system-command
  • java.spring.security.injection.tainted-url-host.tainted-url-host
• Deprecated rules:
  • java.spring.security.cve.cve-2022-22965.cve-2022-22965
  • php.lang.security.preg-replace-eval.preg-replace-eval
  • html.security.missing-noopener.missing-noopener
  • html.security.missing-noreferrer.missing-noreferrer

Pro rules

The Pro rules are created by Semgrep, Inc and targeted for security and software engineers who need accurate findings. These rules were previously marked as Team tier rules (see the updates below). As of this update, these rules are called the Pro rules and are available with the Team or higher tier.

New Pro rules

• New rules for hardcoded secrets:
  • Database libraries for Java
  • Database libraries for Ruby
• New rules for JavaScript:
  • Weak symmetric cryptography
  • RegExp ReDos
  • XSS
  • Open Redirect
• New rules for Java:
  • SSRF in Java Servlets and Spring Framework

Updated Pro rules

• FP reduction with improved pattern for taint mode:
  • Command Injection in Java Servlets and Spring Framework
  • XSS in Java Spring Framework
  • XXE in Java

December 2022

Community tier

New rules from Semgrep community and Semgrep, Inc

• Thanks @aabashkin! Added rule for MongoDB NoSQL Injection: java.mongodb.security.injection.audit.mongodb-nosqli
• Thanks @rc-mattschwager! Added Rust security rules:
  • rust.lang.security.args-os.args-os
  • rust.lang.security.args.args
  • rust.lang.security.current-exe.current-exe
  • rust.lang.security.insecure-hashes.insecure-hashes
  • rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid
  • rust.lang.security.reqwest-set-sensitive.reqwest-set-sensitive
  • rust.lang.security.rustls-dangerous.rustls-dangerous
  • rust.lang.security.ssl-verify-none.ssl-verify-none
  • rust.lang.security.temp-dir.temp-dir
  • rust.lang.security.unsafe-usage.unsafe-usage
• Thanks @artem-fedorov! Fixed typos, spurious spaces and other formatting mistakes in many rules!
• Thanks @nightshiba! Improved SSRF detection in Flask: python.flask.security.injection.ssrf-requests.ssrf-requests
• New rule for OS Command Injection in Argo workflows: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection

Updated community tier rules

• Thanks @mpast! FP reduction in Terraform rules for AWS and Azure:
  • terraform.aws.best-practice.missing-aws-lb-deletion-protection.missing-aws-lb-deletion-protection
  • terraform.azure.best-practice.azure-keyvault-recovery-enabled.azure-keyvault-recovery-enabled
  • terraform.azure.security.azure-automation-encrypted.azure-automation-encrypted
• Thanks @ItsIgnacioPortal! Added external references: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout
• FP reduction with additional sanitizers: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection
• FP reduction with improved pattern for taint mode: javascript.express.security.audit.express-open-redirect.express-open-redirect
• FP reduction with improved pattern for taint mode: javascript.express.security.injection.tainted-sql-string.tainted-sql-string
• Reduced severity: dockerfile.audit.dockerfile-source-not-pinned.dockerfile-source-not-pinned
• Added external references:
  • ocaml.lang.best-practice.ref.ocamllint-ref-incr
  • python.lang.maintainability.useless-ifelse.useless-if-conditional
  • terraform.aws.best-practice.missing-aws-lb-deletion-protection.missing-aws-lb-deletion-protection
  • terraform.azure.best-practice.azure-keyvault-recovery-enabled.azure-keyvault-recovery-enabled

Team tier

New and updated team tier rules

New rules for hardcoded secrets:

• Network libraries for Python and Java.

• Database libraries for Python.

• Generic secrets in JavaScript.

• New rules for Angular.

• New rules for SSRF in JavaScript.

• New rules for Open Redirect in JavaScript.

• Improve existing rules for React to cover more use cases.

• Improve existing rules for hardcoded secrets to cover more use cases.

• Improve existing rules for command injection in JavaScript to cover more use cases.

• FP reduction for existing rules for SQLi in JavaScript.

• FP reduction for existing rules for hardcoded secrets in Python.

November 2022

Community tier

New rules from Semgrep community and Semgrep, Inc

• Thanks @Sjord! Added rule for links to plaintext URLs: html.security.plaintext-http-link.plaintext-http-link

Updated community tier rules

• Thanks @harmw! Match variations of auth token: detected-npm-registry-auth-token
• Thanks @keeganparr1! Arbitrary send ERC20: solidity.security.arbitrary-send-erc20.arbitrary-send-erc20
• Thanks @lnobrega-canarie! Allow a template variable in the nonce attribute of a script tag: python.django.security.audit.xss.var-in-script-tag.var-in-script-tag
• Thanks @objectified! Ignore cookies created by Spring's ResponseCookie builder:
  • java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly
  • java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag
• Thanks @kepten! Update missing-integrity rule to handle HTML tags with newlines properly to reduce false positives: html.security.audit.missing-integrity.missing-integrity
• FP reduction using taint analysis:
  • java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing
  • go.lang.correctness.use-filepath-join.use-filepath-join
  • Thanks to @ianmuscat for reporting this! php.lang.security.file-inclusion.file-inclusion
• Improve autofix by leveraging new AST-based fixes:
  • javascript.dompurify.harden-dompurify-usage
  • python.flask.best-practice.use-jsonify.use-jsonify
  • python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var
• FP reduction using typed metavariables: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call
• Support shebang contexts for finding dangerous command executions: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command
• Filter localhost in Python rules for requests:
  • python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http
  • python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http
  • python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context
• Added autofix:
  • java.lang.security.audit.crypto.use-of-md5.use-of-md5
  • java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils
• Improved external documentation references: javascript.lang.security.insecure-object-assign.insecure-object-assign
• FP reduction by adding support for matching tuples in Python subprocess functions: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
• Improve dockerfile rule to handle the --frozen-lockfile argument. Thanks @ianmuscat for reporting this! generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn
• FP reduction Java cookie rules. Thanks to @peter17 for reporting this! java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite
• FP reduction with improved patterns for DocumentBuilderFactory. Thanks @coheigea for reporting this! java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing

Metadata required by security category

All security rules now adopt an improved set of metadata fields. These fields are required when you contribute to Semgrep Registry with rules in security category. For more details, see Including fields required by security category section.

Team tier

New and updated team tier rules

New rules for hardcoded secrets:

• Database libraries for Python.

• Database libraries for JavaScript and TypeScript.

• Improve existing rules for hardcoded secrets to cover more use cases.

• FP reduction for existing rules for hardcoded secrets.

• FP reduction for Go net/http rules.

October 2022

Community tier

New rules from Semgrep community and Semgrep, Inc

• Thanks @mtausig! csharp.dotnet.security.use_weak_rsa_encryption_padding
• Thanks @Sjord! php.lang.security.redirect-to-request-uri
• yaml.github-actions.security.workflow-run-target-code-checkout

Updated community tier rules

• Fixed issue where false positives were reported with multiple consecutive <link> tags in: html.security.audit.missing-integrity
• Capture additional case when ssl._create_unverified_context is reassigned indirectly: python.lang.security.unverified-ssl-context
• Filter case when a dynamic block is used inside aws_eks_cluster: terraform.lang.security.eks-insufficient-control-plane-logging
• Fixed an issue where the rule was not properly scoped to Azure resources: terraform.azure.security.appservice.appservice-use-secure-tls-policy
• Filter case when only static strings are used: javascript.browser.security.raw-html-join
• Filter case when the user input is used as an index to a map: ruby.rails.security.brakeman.check-render-local-file-include
• FP reduction by removing an unnecessary unanchored pattern: ruby.rails.security.audit.avoid-tainted-shell-call
• Scope Laravel cookie rules to only scan inside files named *session.php:
  • php.laravel.security.laravel-cookie-http-only
  • php.laravel.security.laravel-cookie-long-timeout
  • php.laravel.security.laravel-cookie-null-domain
  • php.laravel.security.laravel-cookie-same-site
  • php.laravel.security.laravel-cookie-secure-set
• Add additional taint sources: php.laravel.security.laravel-unsafe-validator

Team tier

New team rules

New rules for the Laravel PHP framework covering the following vulnerability classes:

• Code injection
• Command injection
• SQL injection
• Path traversal
• CSRF
• Cookie security
• XSS
• SSRF

New rules for Go net/http package covering the following vulnerability classes:

• SQL injection
• Command injection

September 2022

Community tier

New rules from Semgrep community and Semgrep, Inc

• 100+ new Terraform rules for GCP! Thanks @mertcoskuner!
• Python crypto operations with HMAC. Thanks @luisfontes19!
  • python.cryptography.security.mode-without-authentication
  • python.pycryptodome.security.mode-without-authentication
• Spring actuator rules. Thanks @malexmave!
  • java.spring.security.audit.spring-actuator-fully-enabled-yaml
  • java.spring.security.audit.spring-actuator-fully-enabled
  • java.spring.security.audit.spring-actuator-non-health-enabled-yaml
  • java.spring.security.audit.spring-actuator-non-health-enabled
• Rule for persistent secrets in Docker images. Thanks @Sjord!: dockerfile.security.secret-in-build-arg
• Rule for GitHub Actions script injection: yaml.github-actions.security.github-script-injection
• PHP XSS rule: php.lang.security.injection.echoed-request

Changed community tier rules

New metadata keys

Semgrep, Inc is adding new metadata fields to better communicate the intent and importance of findings that a rule generates. The following list provides details about new metadata fields:

• Likelihood: How likely is the impact highlighted by this finding to occur? Examples:
  • Web application user input: HIGH
  • OS environment: MEDIUM
• Impact: How much damage can this issue cause? Examples:
  • SQL Injection: HIGH
  • Information disclosure: LOW
• Confidence: How confident is the author that this finding is exploitable? Examples:
  • User input + formatted SQL string + SQL sink + no intermediate function calls: HIGH
  • User input + SQL sink: MEDIUM
  • Formatted SQL string: LOW
• Subcategory: A list of subcategories that allows the author to specify the intent of the rule. Current values are:
  • Audit: This rule indicates the possible presence of a vulnerability, provided other conditions are present
  • Vuln: This rule is specifically looking for an exploitable vulnerability
• Addtionally, language rulesets (such as p/javascript) have been altered to include only rules that match the following conditions:
  • Subcategory: Vuln
  • Impact: HIGH

Updated community tier rules

• PyYAML rule updated for modern versions of PyYAML. This can lower the occurence of false positive findings. Thanks @shivankar-madaan: python.lang.security.deserialization.avoid-pyyaml-load
• Added new case for C use-after-free where freed var is used in conditional. Thanks @zhengsidie. c.lang.security.use-after-free
• Additional user input added. Thanks @jbergler! ruby.lang.security.no-eval
• Reduced false positives by filtering safe attributes. Thanks @luisfontes19! python.flask.security.open-redirect
• Filtered false positive cases from:
  • generic.secrets.security.detected-slack-webhook
  • java.jax-rs.security.insecure-resteasy
  • javascript.express.security.audit.xss.direct-response-write
  • javascript.express.security.audit.express-open-redirect
  • ruby.rails.security.injection.tainted-sql-string
  • ruby.rails.security.brakeman.check-regex-dos
• Autofix added to the following rules:
  • c.lang.correctness.c-string-equality
  • csharp.lang.correctness.sslcertificatetrust.sslcertificatetrust-handshake-no-trust
  • dockerfile.best-practice.maintainer-is-deprecated
  • dockerfile.best-practice.use-shell-instruction
  • generic.ci.security.use-frozen-lockfile
  • go.lang.security.audit.net.use-tls
  • go.lang.security.filepath-clean-misuse
  • java.lang.security.audit.cbc-padding-oracle
  • java.lang.security.audit.crypto.des-is-deprecated
  • javascript.dompurify
  • python.distributed.security
  • python.django.security.audit.unvalidated-password
  • python.jinja2.security.audit.autoescape-disabled-false
  • python.jinja2.security.audit.missing-autoescape-disabled
  • python.lang.correctness.exit
  • python.lang.correctness.unchecked-returns
  • python.pyramid.audit.authtkt-cookie-httponly-unsafe-value
  • python.pyramid.audit.authtkt-cookie-samesite
  • python.pyramid.audit.authtkt-cookie-secure-unsafe-value
  • python.pyramid.audit.csrf-check-disabled
  • python.pyramid.audit.csrf-origin-check-disabled-globally
  • python.pyramid.audit.csrf-origin-check-disabled
  • python.pyramid.audit.set-cookie-httponly-unsafe-value
  • python.pyramid.audit.set-cookie-samesite-unsafe-value
  • python.pyramid.audit.set-cookie-secure-unsafe-value
  • python.pyramid.security.csrf-check-disabled-globally
  • python.requests.best-practice.use-response-json-shortcut
  • ruby.lang.security.bad-deserialization-yaml
  • ruby.rails.correctness.rails-no-render-after-save
  • yaml.kubernetes.best-practice.no-fractional-cpu-limits

Deprecated community tier rules

These rules no longer produce findings:

• javascript.lang.security.detect-non-literal-require

August 2022

Community tier

New rules from Semgrep community and Semgrep, Inc

• csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation
• Thanks @securecodeninja! jwt-securitytoken-no-expiration.jwt-securitytoken-no-expiration

Updated community tier rules

• Fixed taint source to focus on function argument in csharp.dotnet.security.audit.mass-assignment.mass-assignment.
• Updated various secrets-related rules:
  • Added more patterns for hardcoded secrets in express-session javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret.
  • Added more import patterns to catch more cases javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret.
  • Changed from ERROR to WARNING javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret.
  • Updated to highlight smaller, relevant ranges of code:
    • java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret
    • terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials
    • terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials
  • False positive (FP) reduction, updated in taint mode to provide more context:
    • go.jwt-go.security.jwt.hardcoded-jwt-key
    • javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret
    • python.boto3.security.hardcoded-token.hardcoded-token
• Updated to work with multi flags such as -yqq in dockerfile.correctness.missing-assume-yes-switch.missing-assume-yes-switch.
• Updated to taint mode and added more filesystem sources javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename.
• Restricted sources to remove unlikely user input ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call.
• Added a pattern for escapeHtml={false} typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html.
• Added a pattern for detecting manual user-supplied inputs yaml.github-actions.security.run-shell-injection.run-shell-injection.
• Updated to highlight smaller, relevant ranges of code:
  • ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller
  • ruby.rails.security.injection.tainted-sql-string.tainted-sql-string
• FP reduction: updated to taint mode to provide more context:
  • javascript.express.security.audit.xss.direct-response-write.direct-response-write
  • javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
  • javascript.lang.security.detect-child-process.detect-child-process
  • javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret
  • typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method
  • typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property

Deprecated community tier rules

Semgrep does no longer match anything with the following rules:

• javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials
• javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials
• javascript.lang.security.audit.non-constant-sql-query.non-constant-sql-query
• python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape

Team tier

New Team tier rules

• javascript.express.express-child-process.express-child-process
• javascript.express.express-fs-filename.express-fs-filename
• typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key

• New Go rules:

  • go.net.active-debug-code.print-stack-trace.print-stack-trace
  • go.net.active-debug-code.write-pprof-profile-output.write-pprof-profile-output
  • go.net.command-injection.net-http-command-injection-taint.net-http-command-injection-taint
  • go.net.sql.go-vanillasql-format-string-sqli-taint.go-vanillasql-format-string-sqli-taint
  • go.net.sql.pg-orm-sqli-taint.pg-orm-sqli-taint
  • go.net.sql.pg-sqli-taint.pg-sqli-taint
  • go.net.sql.pgx-sqli-taint.pgx-sqli-taint
  • go.net.ssrf.http-ssrf-taint.http-ssrf-taint
  • go.net.xss.formatted-template-string-taint.formatted-template-string-taint
  • go.net.xss.no-direct-write-to-responsewriter-taint.no-direct-write-to-responsewriter-taint
  • go.net.xxe.libxml2-xxe-taint.libxml2-xxe-taint

• New secrets detection rules which try to resolve cases with hardcoded strings used as a secrets in code:

  • csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret
  • csharp.lang.security.system.directoryentry-hardcoded-secret.directoryentry-hardcoded-secret
  • csharp.lang.security.system.networkcredential-hardcoded-secret.networkcredential-hardcoded-secret
  • csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret
  • csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret
  • csharp.lang.security.system.sqlconnection-hardcoded-secret.sqlconnection-hardcoded-secret
  • csharp.lang.security.system.sqlconnectionstringbuilder-hardcoded-secret.sqlconnectionstringbuilder-hardcoded-secret
  • csharp.mongo.csharp-mongo-hardcoded-secret.csharp-mongo-hardcoded-secret
  • csharp.postgres.npgsqlconnectionstringbuilder-hardcoded-secret.npgsqlconnectionstringbuilder-hardcoded-secret
  • java.jsch.jsch-hardcoded-secret.jsch-hardcoded-secret
  • java.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret
  • java.lang.security.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret
  • java.lang.security.system.system-setproperty-hardcoded-secret.system-setproperty-hardcoded-secret
  • java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret
  • java.mysql.mysql-jdbc-hardcoded-secret.mysql-jdbc-hardcoded-secret
  • javascript.knex.node-knex-hardcoded-secret.node-knex-hardcoded-secret
  • javascript.mongoose.node-mongoose-hardcoded-secret.node-mongoose-hardcoded-secret
  • javascript.mssql.node-mysql-hardcoded-secret.node-mssql-hardcoded-secret
  • javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret
  • javascript.pg.node-pg-hardcoded-secret.node-pg-hardcoded-secret
  • javascript.sequelize.node-sequelize-hardcoded-secret.node-sequelize-hardcoded-secret
  • python.ldap3.python-ldap3-hardcoded-secret.python-ldap3-hardcoded-secret
  • python.mysql.python-mysql-hardcoded-secret.python-mysql-hardcoded-secret
  • python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret
  • python.pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret
  • python.pymongo.python-mongo-hardcoded-secret.python-mongo-hardcoded-secret
  • python.pymongo.python-pymongo-hardcoded-secret.python-pymongo-hardcoded-secret
  • python.pymysql.python-pymysql-hardcoded-secret.python-pymysql-hardcoded-secret
  • python.sqlalchemy.python-sqlalchemy-hardcoded-secret.python-sqlalchemy-hardcoded-secret
  • python.tormysql.python-tormysql-hardcoded-secret.python-tormysql-hardcoded-secret
  • python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret

Updated Team tier rules

Added more sinks for the following rules:

• paid.paid.typescript.react.react-refs-prop.react-refs-prop
• paid.paid.typescript.react.react-refs-url.react-refs-url

July 2022

New rules from Segmrep community and Semgrep, Inc

New rules from Semgrep community:

• Thanks to @securecodeninja!
  • csharp.dotnet.security.audit.mass-assignment
  • csharp.lang.security.cryptography.unsigned-security-token
  • csharp.lang.security.open-redirect
  • csharp.lang.security.stacktrace-disclosure
  • csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization
  • csharp.dotnet.security.audit.open-directory-listing.open-directory-listing
  • csharp.dotnet.security.audit.misconfigured-lockout-option.misconfigured-lockout-option
  • csharp.dotnet.security.audit.razor-use-of-htmlstring.razor-use-of-htmlstring
  • csharp.dotnet.security.audit.ldap-injection
  • csharp.dotnet.security.audit.xpath-injection

New rules have been added with taint sources:

• python.lang.security.audit.dangerous-asyncio-create-exec-tainted-env-args
• python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args
• python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args
• python.lang.security.audit.dangerous-code-run-tainted-env-args
• python.lang.security.audit.dangerous-os-exec-tainted-env-args
• python.lang.security.audit.dangerous-spawn-process-tainted-env-args
• python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args
• python.lang.security.audit.dangerous-subprocess-use-tainted-env-args
• python.lang.security.audit.dangerous-system-call-tainted-env-args

There are now 80 team tier only rules covering Java, PHP, JavaScript, and TypeScript available in the Semgrep Registry. These rules are designed to have higher precision and lower false positive rates.

Rule changes and updates

• Added additional import scenarios for os.system python.lang.security.audit.dangerous-system-call

• Rewritten with taint mode:

  • javascript.express.security.audit.express-path-join-resolve-traversal
  • javascript.lang.security.audit.code-string-concat
  • javascript.lang.security.audit.path-traversal.path-join-resolve-traversal

• Updated precision of source with focus-metavariable:

  • javascript.express.security.injection.tainted-sql-string
  • javascript.lang.security.audit.sqli.node-mysql-sqli

• Added additional filters for acceptable SSL policies: terraform.aws.security.insecure-load-balancer-tls-version

• Added sanitizers: typescript.angular.security.audit.angular-domsanitizer

• Added sanitizers, added constant string filter: typescript.react.security.audit.react-dangerouslysetinnerhtml

• Uses taint mode to remove uninteresting sources: typescript.react.security.audit.react-href-var

• Remove for loop case due to high false positive (FP) rate: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal

• FP reduction by removing cases where user input is likely a number type:

  • javascript.lang.security.audit.sqli.node-knex-sqli
  • javascript.lang.security.audit.sqli.node-mysql-sqli

• Exclude Error and Exception classes from results: ruby.lang.security.model-attributes-attr-accessible

• FP reduction: more specific sources: typescript.angular.security.audit.angular-domsanitizer

• FP reduction by limiting to more specific cases: typescript.react.security.audit.react-dangerouslysetinnerhtml

• Removed 1 case with high FP likelihood: typescript.react.security.audit.react-href-var

• Altered behavior:

  • generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri
  • python.requests.best-practice.use-timeout (fix autofix)

• Removed FPs:

  • javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression
  • dockerfile.best-practice.use-workdir.use-workdir (improved message)

• Removed FPs: python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse

• Fixed bug: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection

• Removed FPs: terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered

Reduced severity to INFO:

• typescript.react.security.audit.react-jwt-decoded-property
• typescript.react.security.audit.react-jwt-in-localstorage
• typescript.react.security.audit.react-missing-noopener
• typescript.react.security.audit.react-missing-noreferrer

Limit sources to specific properties of Request object rather than all properties:

• javascript.express.security.audit.express-libxml-noent
• avascript.express.security.audit.express-path-join-resolve-traversal
• javascript.express.security.audit.remote-property-injection
• javascript.express.security.cors-misconfiguration
• javascript.express.security.express-data-exfiltration
• javascript.express.security.express-expat-xxe
• javascript.express.security.express-insecure-template-usage
• javascript.express.security.express-sandbox-injection
• javascript.express.security.express-vm-injection
• javascript.express.security.express-vm2-injection
• javascript.express.security.injection.raw-html-format
• javascript.express.security.x-frame-options-misconfiguration

The python.lang.security.audit.dangerous rules have been reworked. All Python -dangerous- rules have had their confidence level changed to LOW. Renamed rules:

• python.lang.security.audit.dangerous-asyncio-create-exec renamed to python.lang.security.audit.dangerous-asyncio-create-exec-audit
• python.lang.security.audit.dangerous-asyncio-exec renamed to python.lang.security.audit.dangerous-asyncio-exec-audit
• python.lang.security.audit.dangerous-asyncio-shell renamed to python.lang.security.audit.dangerous-asyncio-shell-audit
• python.lang.security.audit.dangerous-code-run renamed to python.lang.security.audit.dangerous-code-run-audit
• python.lang.security.audit.dangerous-os-exec renamed to python.lang.security.audit.dangerous-os-exec-audit
• python.lang.security.audit.dangerous-spawn-process renamed to python.lang.security.audit.dangerous-spawn-process-audit
• python.lang.security.audit.dangerous-subinterpreters-run-string renamed to python.lang.security.audit.dangerous-subinterpreters-run-string-audit
• python.lang.security.audit.dangerous-subprocess-use renamed to python.lang.security.audit.dangerous-subprocess-use-audit
• python.lang.security.audit.dangerous-system-call renamed to python.lang.security.audit.dangerous-system-call-audit
• python.lang.security.audit.dangerous-testcapi-run-in-subinterp renamed to python.lang.security.audit.dangerous-testcapi-run-in-subinterp-audit

Added to p/default (p/default are rules that run automatically with semgrep --config p/default):

• javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization
• javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
• javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing
• javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage
• javascript.express.security.audit.express-libxml-noent.express-libxml-noent
• javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent
• javascript.express.security.audit.express-res-sendfile.express-res-sendfile
• javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret
• javascript.express.security.audit.express-ssrf.express-ssrf
• javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization
• javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event
• javascript.express.security.audit.remote-property-injection.remote-property-injection
• javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key
• javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection

Removed from p/default in Semgrep Registry:

Expand the list with all removed rules

• ajinabraham.njsscan.archive_path_overwrite.admzip_path_overwrite
• ajinabraham.njsscan.archive_path_overwrite.tar_path_overwrite
• ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite
• ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite2
• ajinabraham.njsscan.buffer_noassert.buffer_noassert
• ajinabraham.njsscan.crypto_node.node_aes_ecb
• ajinabraham.njsscan.crypto_node.node_aes_noiv
• ajinabraham.njsscan.crypto_node.node_insecure_random_generator
• ajinabraham.njsscan.crypto_node.node_md5
• ajinabraham.njsscan.crypto_node.node_sha1
• ajinabraham.njsscan.crypto_node.node_weak_crypto
• ajinabraham.njsscan.error_disclosure.node_error_disclosure
• ajinabraham.njsscan.eval_deserialize.node_deserialize
• ajinabraham.njsscan.eval_deserialize.serializetojs_deserialize
• ajinabraham.njsscan.eval_drpc_deserialize.grpc_insecure_connection
• ajinabraham.njsscan.eval_grpc_deserialize.grpc_insecure_connection
• ajinabraham.njsscan.eval_node.eval_nodejs
• ajinabraham.njsscan.eval_require.eval_require
• ajinabraham.njsscan.eval_sandbox.sandbox_code_injection
• ajinabraham.njsscan.eval_vm2_injection.vm2_code_injection
• ajinabraham.njsscan.eval_vm2_injection.vm2_context_injection
• ajinabraham.njsscan.eval_vm_injection.vm_code_injection
• ajinabraham.njsscan.eval_vm_injection.vm_compilefunction_injection
• ajinabraham.njsscan.eval_vm_injection.vm_runincontext_injection
• ajinabraham.njsscan.eval_vm_injection.vm_runinnewcontext_injection
• ajinabraham.njsscan.eval_yaml_deserialize.yaml_deserialize
• ajinabraham.njsscan.exec_os_command.generic_os_command_exec
• ajinabraham.njsscan.exec_os_command.generic_os_command_exec2
• ajinabraham.njsscan.exec_shelljs.shelljs_os_command_exec
• ajinabraham.njsscan.express_bodyparser_dos.express_bodyparser
• ajinabraham.njsscan.express_hbs_lfr.express_lfr
• ajinabraham.njsscan.express_hbs_lfr.express_lfr_warning
• ajinabraham.njsscan.good_anti_csrf.anti_csrf_control
• ajinabraham.njsscan.good_helmet_checks.helmet_header_check_crossdomain
• ajinabraham.njsscan.good_helmet_checks.helmet_header_check_csp
• ajinabraham.njsscan.good_helmet_checks.helmet_header_check_expect_ct
• ajinabraham.njsscan.good_helmet_checks.helmet_header_dns_prefetch
• ajinabraham.njsscan.good_helmet_checks.helmet_header_feature_policy
• ajinabraham.njsscan.good_helmet_checks.helmet_header_frame_guard
• ajinabraham.njsscan.good_helmet_checks.helmet_header_hsts
• ajinabraham.njsscan.good_helmet_checks.helmet_header_ienoopen
• ajinabraham.njsscan.good_helmet_checks.helmet_header_nosniff
• ajinabraham.njsscan.good_helmet_checks.helmet_header_referrer_policy
• ajinabraham.njsscan.good_helmet_checks.helmet_header_x_powered_by
• ajinabraham.njsscan.good_helmet_checks.helmet_header_xss_filter
• ajinabraham.njsscan.good_ratelimiting.rate_limit_control
• ajinabraham.njsscan.hardcoded_passport.hardcoded_passport_secret
• ajinabraham.njsscan.header_cookie.cookie_session_default
• ajinabraham.njsscan.header_cookie.cookie_session_no_domain
• ajinabraham.njsscan.header_cookie.cookie_session_no_httponly
• ajinabraham.njsscan.header_cookie.cookie_session_no_maxage
• ajinabraham.njsscan.header_cookie.cookie_session_no_path
• ajinabraham.njsscan.header_cookie.cookie_session_no_samesite
• ajinabraham.njsscan.header_cookie.cookie_session_no_secure
• ajinabraham.njsscan.header_cors_star.express_cors
• ajinabraham.njsscan.header_cors_star.generic_cors
• ajinabraham.njsscan.header_helmet_disabled.helmet_feature_disabled
• ajinabraham.njsscan.header_injection.generic_header_injection
• ajinabraham.njsscan.header_xss_protection.header_xss_generic
• ajinabraham.njsscan.header_xss_protection.header_xss_lusca
• ajinabraham.njsscan.host_header_injection.host_header_injection
• ajinabraham.njsscan.jwt_exposed_credentials.jwt_exposed_credentials
• ajinabraham.njsscan.jwt_exposed_data.jwt_exposed_data
• ajinabraham.njsscan.jwt_express_hardcoded.jwt_express_hardcoded
• ajinabraham.njsscan.jwt_hardcoded.hardcoded_jwt_secret
• ajinabraham.njsscan.jwt_none_algorithm.node_jwt_none_algorithm
• ajinabraham.njsscan.jwt_not_revoked.jwt_not_revoked
• ajinabraham.njsscan.layer7_object_dos.layer7_object_dos
• ajinabraham.njsscan.logic_bypass.node_logic_bypass
• ajinabraham.njsscan.nosql_injection.node_nosqli_js_injection
• ajinabraham.njsscan.path_traversal.generic_path_traversal
• ajinabraham.njsscan.regex_dos.regex_dos
• ajinabraham.njsscan.regex_injection.regex_injection_dos
• ajinabraham.njsscan.resolve_path_traversal.join_resolve_path_traversal
• ajinabraham.njsscan.security_electron.electron_allow_http
• ajinabraham.njsscan.security_electron.electron_blink_integration
• ajinabraham.njsscan.security_electron.electron_context_isolation
• ajinabraham.njsscan.security_electron.electron_disable_websecurity
• ajinabraham.njsscan.security_electron.electron_experimental_features
• ajinabraham.njsscan.security_electron.electron_nodejs_integration
• ajinabraham.njsscan.security_electronjs.electron_allow_http
• ajinabraham.njsscan.security_electronjs.electron_blink_integration
• ajinabraham.njsscan.security_electronjs.electron_context_isolation
• ajinabraham.njsscan.security_electronjs.electron_disable_websecurity
• ajinabraham.njsscan.security_electronjs.electron_experimental_features
• ajinabraham.njsscan.security_electronjs.electron_nodejs_integration
• ajinabraham.njsscan.sequelize_tls.sequelize_tls
• ajinabraham.njsscan.sequelize_tls_validation.sequelize_tls_cert_validation
• ajinabraham.njsscan.sequelize_weak_tls.sequelize_weak_tls
• ajinabraham.njsscan.server_side_template_injection.server_side_template_injection
• ajinabraham.njsscan.sql_injection.node_knex_sqli_injection
• ajinabraham.njsscan.sql_injection.node_sqli_injection
• ajinabraham.njsscan.sql_injection_knex.node_knex_sqli_injection
• ajinabraham.njsscan.ssrf_node.node_ssrf
• ajinabraham.njsscan.ssrf_phantomjs.phantom_ssrf
• ajinabraham.njsscan.ssrf_playwright.playwright_ssrf
• ajinabraham.njsscan.ssrf_puppeteer.puppeteer_ssrf
• ajinabraham.njsscan.ssrf_wkhtmltoimage.wkhtmltoimage_ssrf
• ajinabraham.njsscan.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf
• ajinabraham.njsscan.timing_attack_node.node_timing_attack
• ajinabraham.njsscan.tls_node.node_curl_ssl_verify_disable
• ajinabraham.njsscan.tls_node.node_tls_reject
• ajinabraham.njsscan.xml_entity_expansion_dos.node_entity_expansion
• ajinabraham.njsscan.xpathi_node.node_xpath_injection
• ajinabraham.njsscan.xss_mustache_escape.xss_disable_mustache_escape
• ajinabraham.njsscan.xss_node.express_xss
• ajinabraham.njsscan.xss_serialize_js.xss_serialize_javascript
• ajinabraham.njsscan.xss_templates.handlebars_noescape
• ajinabraham.njsscan.xss_templates.handlebars_safestring
• ajinabraham.njsscan.xss_templates.squirrelly_autoescape
• ajinabraham.njsscan.xxe_expat.xxe_expat
• ajinabraham.njsscan.xxe_node.node_xxe
• ajinabraham.njsscan.xxe_sax.xxe_sax
• ajinabraham.njsscan.xxe_xml2json.xxe_xml2json
• contrib.dlint.dlint-equivalent.insecure-commands-use
• contrib.dlint.dlint-equivalent.insecure-compile-use
• contrib.dlint.dlint-equivalent.insecure-cryptography-attribute-use
• contrib.dlint.dlint-equivalent.insecure-dl-use
• contrib.dlint.dlint-equivalent.insecure-duo-client-use
• contrib.dlint.dlint-equivalent.insecure-eval-use
• contrib.dlint.dlint-equivalent.insecure-exec-use
• contrib.dlint.dlint-equivalent.insecure-gl-use
• contrib.dlint.dlint-equivalent.insecure-hashlib-use
• contrib.dlint.dlint-equivalent.insecure-itsdangerous-use
• contrib.dlint.dlint-equivalent.insecure-marshal-use
• contrib.dlint.dlint-equivalent.insecure-onelogin-attribute-use
• contrib.dlint.dlint-equivalent.insecure-os-exec-use
• contrib.dlint.dlint-equivalent.insecure-os-temp-use
• contrib.dlint.dlint-equivalent.insecure-pickle-use
• contrib.dlint.dlint-equivalent.insecure-popen2-use
• contrib.dlint.dlint-equivalent.insecure-pycrypto-use
• contrib.dlint.dlint-equivalent.insecure-requests-use
• contrib.dlint.dlint-equivalent.insecure-shelve-use
• contrib.dlint.dlint-equivalent.insecure-simplexmlrpcserver-use
• contrib.dlint.dlint-equivalent.insecure-ssl-use
• contrib.dlint.dlint-equivalent.insecure-subprocess-use
• contrib.dlint.dlint-equivalent.insecure-tarfile-use
• contrib.dlint.dlint-equivalent.insecure-tempfile-use
• contrib.dlint.dlint-equivalent.insecure-urllib3-connections-use
• contrib.dlint.dlint-equivalent.insecure-urllib3-warnings-use
• contrib.dlint.dlint-equivalent.insecure-xml-use
• contrib.dlint.dlint-equivalent.insecure-xmlsec-attribute-use
• contrib.dlint.dlint-equivalent.insecure-yaml-use
• contrib.dlint.dlint-equivalent.insecure-zipfile-use
• generic.ci.security.use-frozen-lockfile.use-frozen-lockfile
• generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-npm
• generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pip
• generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pipenv
• generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn
• generic.html-templates.security.var-in-href.var-in-href
• generic.nginx.security.request-host-used.request-host-used
• generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account
• javascript.browser.security.raw-html-join.raw-html-join
• javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event
• javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect
• javascript.express.security.audit.remote-property-injection.remote-property-injection
• javascript.express.security.audit.res-render-injection.res-render-injection
• javascript.express.security.audit.xss.mustache.var-in-script-tag.var-in-script-tag
• javascript.lang.correctness.no-replaceall.no-replaceall
• javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment.prototype-pollution-assignment
• javascript.lang.security.detect-non-literal-require.detect-non-literal-require
• javascript.sequelize.security.audit.sequelize-raw-query.sequelize-raw-query
• python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe
• python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var
• typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer
• typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property

Other:

• Fixed message typo: javascript.lang.best-practice.leftover_debugging

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.