Rule updates
Welcome to monthly rule updates. This document includes selected new rules, removed or reduced number of false positives (FP) and false negatives (FN). These new rules and their updates are made by the Semgrep community and Semgrep, Inc.
February 2023
Community rules
Thanks to Sjord, @artem-fedorov and @gabriellesc for their contributions!
New rules from Semgrep community and Semgrep, Inc
- Improved coverage for security issues in Terraform: terraform.aws.security
- Additional rules for weak ciphers in Java: java.lang.security.audit.crypto
- Additional rules for inline JavaScript and related security issues:
Updated Community rules
- Added and improved autofix for many rules
- Improved patterns:
- java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call
- javascript.express.security.express-insecure-template-usage.express-insecure-template-usage
- java.lang.security.audit.crypto.des-is-deprecated
- java.lang.security.audit.crypto.no-null-cipher
- java.lang.security.audit.crypto.rsa-no-padding
- problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2
- Improved accuracy:
- java.spring.security.injection.tainted-html-string.tainted-html-string
- generic.secrets.gitleaks.generic-api-key.generic-api-key
- contrib.nodejsscan.crypto_node.node_md5
- contrib.nodejsscan.crypto_node.node_sha1
- dockerfile.security.last-user-is-root.last-user-is-root
- generic.dockerfile.security.last-user-is-root.last-user-is-root
- generic.secrets.security.detected-npm-token.detected-npm-token
- php.lang.security.injection.echoed-request.echoed-request
- Improved rule message:
- java.security.spring.audit.spring-csrf-disabled.spring-csrf-disabled
- contrib.nodejsscan.crypto_node.node_md5
- contrib.nodejsscan.crypto_node.node_sha1
- ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find
- terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted
- terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted
- terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted
- terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted
- Improved metadata:
Pro rules
New Pro rules
- Improved coverage for:
- Deserialization issues in Java
- Deserialization issues in Python
- Weak hash algorithms in JavaScript
- NoSQL injection in Java
- NoSQL injection in JavaScript
- ReDOS in JavaScript
January 2023
Community rules
New rules from Semgrep community and Semgrep, Inc
- Thanks johnssimon007! New rule for empty encryption key in Python: python.cryptography.security.empty-aes-key.empty-aes-key
- Thanks johnssimon007! New rule for header injection in Python/Flask: python.flask.security.audit.host-header-injection-python
- Additional rule for deserialization vulnerabilities in Ruby: ruby.lang.security.bad-deserialization-env.bad-deserialization-env
- Ported regex-based rules from Gitleaks
Updated Community rules
- Thanks @ben-elttam! FP reduction in Kubernetes rules:
- Thanks @artem-fedorov! OWASP metadata fixed for too many rules to list here!
- Thanks ianmuscat! FP reduction with additional patterns: generic.ci.security.use-frozen-lockfile.use-frozen-lockfile
- Thanks paisleyrob! FP reduction with improved patterns:
- Thanks rc-JoshuaZepf! FP reduction with improved patterns: terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional
- Thanks nightshiba! FP reduction with improved patterns: javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape
- Thanks Sjord! FP reduction with improved patterns: php.lang.security.audit.assert-use-audit.assert-use-audit
- FP reduction with improved pattern for taint mode:
- javascript.express.security.audit.express-ssrf.express-ssrf
- java.spring.security.injection.tainted-file-path.tainted-file-path
- java.spring.security.injection.tainted-system-command.tainted-system-command
- ruby.lang.security.bad-deserialization-yaml.bad-deserialization-yaml
- javascript.express.security.audit.xss.direct-response-write.direct-response-write
- FN reduction with improved patterns for taint mode:
- java.spring.security.injection.tainted-file-path.tainted-file-path
- java.spring.security.injection.tainted-html-string.tainted-html-string
- java.spring.security.injection.tainted-sql-string.tainted-sql-string
- java.spring.security.injection.tainted-system-command.tainted-system-command
- java.spring.security.injection.tainted-url-host.tainted-url-host
- Deprecated rules:
Pro rules
The Pro rules are created by Semgrep, Inc and targeted for security and software engineers who need accurate findings. These rules were previously marked as Team tier rules (see the updates below). As of this update, these rules are called the Pro rules and are available with the Team or higher tier.
New Pro rules
- New rules for hardcoded secrets:
- Database libraries for Java
- Database libraries for Ruby
- New rules for JavaScript:
- Weak symmetric cryptography
- RegExp ReDos
- XSS
- Open Redirect
- New rules for Java:
- SSRF in Java Servlets and Spring Framework
Updated Pro rules
- FP reduction with improved pattern for taint mode:
- Command Injection in Java Servlets and Spring Framework
- XSS in Java Spring Framework
- XXE in Java
December 2022
Community tier
New rules from Semgrep community and Semgrep, Inc
- Thanks @aabashkin! Added rule for MongoDB NoSQL Injection: java.mongodb.security.injection.audit.mongodb-nosqli
- Thanks @rc-mattschwager! Added Rust security rules:
- rust.lang.security.args-os.args-os
- rust.lang.security.args.args
- rust.lang.security.current-exe.current-exe
- rust.lang.security.insecure-hashes.insecure-hashes
- rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid
- rust.lang.security.reqwest-set-sensitive.reqwest-set-sensitive
- rust.lang.security.rustls-dangerous.rustls-dangerous
- rust.lang.security.ssl-verify-none.ssl-verify-none
- rust.lang.security.temp-dir.temp-dir
- rust.lang.security.unsafe-usage.unsafe-usage
- Thanks @artem-fedorov! Fixed typos, spurious spaces and other formatting mistakes in many rules!
- Thanks @nightshiba! Improved SSRF detection in Flask: python.flask.security.injection.ssrf-requests.ssrf-requests
- New rule for OS Command Injection in Argo workflows: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection
Updated community tier rules
- Thanks @mpast! FP reduction in Terraform rules for AWS and Azure:
- Thanks @ItsIgnacioPortal! Added external references: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout
- FP reduction with additional sanitizers: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection
- FP reduction with improved pattern for taint mode: javascript.express.security.audit.express-open-redirect.express-open-redirect
- FP reduction with improved pattern for taint mode: javascript.express.security.injection.tainted-sql-string.tainted-sql-string
- Reduced severity: dockerfile.audit.dockerfile-source-not-pinned.dockerfile-source-not-pinned
- Added external references:
- ocaml.lang.best-practice.ref.ocamllint-ref-incr
- python.lang.maintainability.useless-ifelse.useless-if-conditional
- terraform.aws.best-practice.missing-aws-lb-deletion-protection.missing-aws-lb-deletion-protection
- terraform.azure.best-practice.azure-keyvault-recovery-enabled.azure-keyvault-recovery-enabled
Team tier
New and updated team tier rules
New rules for hardcoded secrets:
Network libraries for Python and Java.
Database libraries for Python.
Generic secrets in JavaScript.
New rules for Angular.
New rules for SSRF in JavaScript.
New rules for Open Redirect in JavaScript.
Improve existing rules for React to cover more use cases.
Improve existing rules for hardcoded secrets to cover more use cases.
Improve existing rules for command injection in JavaScript to cover more use cases.
FP reduction for existing rules for SQLi in JavaScript.
FP reduction for existing rules for hardcoded secrets in Python.
November 2022
Community tier
New rules from Semgrep community and Semgrep, Inc
- Thanks @Sjord! Added rule for links to plaintext URLs: html.security.plaintext-http-link.plaintext-http-link
Updated community tier rules
- Thanks @harmw! Match variations of auth token: detected-npm-registry-auth-token
- Thanks @keeganparr1! Arbitrary send ERC20: solidity.security.arbitrary-send-erc20.arbitrary-send-erc20
- Thanks @lnobrega-canarie! Allow a template variable in the nonce attribute of a script tag: python.django.security.audit.xss.var-in-script-tag.var-in-script-tag
- Thanks @objectified! Ignore cookies created by Spring's ResponseCookie builder:
- Thanks @kepten! Update missing-integrity rule to handle HTML tags with newlines properly to reduce false positives: html.security.audit.missing-integrity.missing-integrity
- FP reduction using taint analysis:
- Improve autofix by leveraging new AST-based fixes:
- FP reduction using typed metavariables: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call
- Support shebang contexts for finding dangerous command executions: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command
- Filter localhost in Python rules for requests:
- python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http
- python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http
- python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context
- Added autofix:
- Improved external documentation references: javascript.lang.security.insecure-object-assign.insecure-object-assign
- FP reduction by adding support for matching tuples in Python subprocess functions: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
- Improve dockerfile rule to handle the
--frozen-lockfileargument. Thanks @ianmuscat for reporting this! generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn - FP reduction Java cookie rules. Thanks to @peter17 for reporting this! java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite
- FP reduction with improved patterns for
DocumentBuilderFactory. Thanks @coheigea for reporting this! java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing
Metadata required by security category
All security rules now adopt an improved set of metadata fields. These fields are required when you contribute to Semgrep Registry with rules in security category. For more details, see Including fields required by security category section.
Team tier
New and updated team tier rules
New rules for hardcoded secrets:
Database libraries for Python.
Database libraries for JavaScript and TypeScript.
Improve existing rules for hardcoded secrets to cover more use cases.
FP reduction for existing rules for hardcoded secrets.
FP reduction for Go net/http rules.
October 2022
Community tier
New rules from Semgrep community and Semgrep, Inc
- Thanks @mtausig! csharp.dotnet.security.use_weak_rsa_encryption_padding
- Thanks @Sjord! php.lang.security.redirect-to-request-uri
- yaml.github-actions.security.workflow-run-target-code-checkout
Updated community tier rules
- Fixed issue where false positives were reported with multiple consecutive
<link>tags in: html.security.audit.missing-integrity - Capture additional case when
ssl._create_unverified_contextis reassigned indirectly: python.lang.security.unverified-ssl-context - Filter case when a
dynamicblock is used insideaws_eks_cluster: terraform.lang.security.eks-insufficient-control-plane-logging - Fixed an issue where the rule was not properly scoped to Azure resources: terraform.azure.security.appservice.appservice-use-secure-tls-policy
- Filter case when only static strings are used: javascript.browser.security.raw-html-join
- Filter case when the user input is used as an index to a map: ruby.rails.security.brakeman.check-render-local-file-include
- FP reduction by removing an unnecessary unanchored pattern: ruby.rails.security.audit.avoid-tainted-shell-call
- Scope Laravel cookie rules to only scan inside files named
*session.php: - Add additional taint sources: php.laravel.security.laravel-unsafe-validator
Team tier
New team rules
New rules for the Laravel PHP framework covering the following vulnerability classes:
- Code injection
- Command injection
- SQL injection
- Path traversal
- CSRF
- Cookie security
- XSS
- SSRF
New rules for Go net/http package covering the following vulnerability classes:
- SQL injection
- Command injection
September 2022
Community tier
New rules from Semgrep community and Semgrep, Inc
- 100+ new Terraform rules for GCP! Thanks @mertcoskuner!
- Python crypto operations with HMAC. Thanks @luisfontes19!
- Spring actuator rules. Thanks @malexmave!
- Rule for persistent secrets in Docker images. Thanks @Sjord!: dockerfile.security.secret-in-build-arg
- Rule for GitHub Actions script injection: yaml.github-actions.security.github-script-injection
- PHP XSS rule: php.lang.security.injection.echoed-request
Changed community tier rules
New metadata keys
Semgrep, Inc is adding new metadata fields to better communicate the intent and importance of findings that a rule generates. The following list provides details about new metadata fields:
- Likelihood: How likely is the impact highlighted by this finding to occur? Examples:
- Web application user input: HIGH
- OS environment: MEDIUM
- Impact: How much damage can this issue cause? Examples:
- SQL Injection: HIGH
- Information disclosure: LOW
- Confidence: How confident is the author that this finding is exploitable? Examples:
- User input + formatted SQL string + SQL sink + no intermediate function calls: HIGH
- User input + SQL sink: MEDIUM
- Formatted SQL string: LOW
- Subcategory: A list of subcategories that allows the author to specify the intent of the rule. Current values are:
- Audit: This rule indicates the possible presence of a vulnerability, provided other conditions are present
- Vuln: This rule is specifically looking for an exploitable vulnerability
- Addtionally, language rulesets (such as
p/javascript) have been altered to include only rules that match the following conditions:- Subcategory: Vuln
- Impact: HIGH
Updated community tier rules
- PyYAML rule updated for modern versions of PyYAML. This can lower the occurence of false positive findings. Thanks @shivankar-madaan: python.lang.security.deserialization.avoid-pyyaml-load
- Added new case for C use-after-free where freed var is used in conditional. Thanks @zhengsidie. c.lang.security.use-after-free
- Additional user input added. Thanks @jbergler! ruby.lang.security.no-eval
- Reduced false positives by filtering safe attributes. Thanks @luisfontes19! python.flask.security.open-redirect
- Filtered false positive cases from:
- Autofix added to the following rules:
- c.lang.correctness.c-string-equality
- csharp.lang.correctness.sslcertificatetrust.sslcertificatetrust-handshake-no-trust
- dockerfile.best-practice.maintainer-is-deprecated
- dockerfile.best-practice.use-shell-instruction
- generic.ci.security.use-frozen-lockfile
- go.lang.security.audit.net.use-tls
- go.lang.security.filepath-clean-misuse
- java.lang.security.audit.cbc-padding-oracle
- java.lang.security.audit.crypto.des-is-deprecated
- javascript.dompurify
- python.distributed.security
- python.django.security.audit.unvalidated-password
- python.jinja2.security.audit.autoescape-disabled-false
- python.jinja2.security.audit.missing-autoescape-disabled
- python.lang.correctness.exit
- python.lang.correctness.unchecked-returns
- python.pyramid.audit.authtkt-cookie-httponly-unsafe-value
- python.pyramid.audit.authtkt-cookie-samesite
- python.pyramid.audit.authtkt-cookie-secure-unsafe-value
- python.pyramid.audit.csrf-check-disabled
- python.pyramid.audit.csrf-origin-check-disabled-globally
- python.pyramid.audit.csrf-origin-check-disabled
- python.pyramid.audit.set-cookie-httponly-unsafe-value
- python.pyramid.audit.set-cookie-samesite-unsafe-value
- python.pyramid.audit.set-cookie-secure-unsafe-value
- python.pyramid.security.csrf-check-disabled-globally
- python.requests.best-practice.use-response-json-shortcut
- ruby.lang.security.bad-deserialization-yaml
- ruby.rails.correctness.rails-no-render-after-save
- yaml.kubernetes.best-practice.no-fractional-cpu-limits
Deprecated community tier rules
These rules no longer produce findings:
August 2022
Community tier
New rules from Semgrep community and Semgrep, Inc
- csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation
- Thanks @securecodeninja! jwt-securitytoken-no-expiration.jwt-securitytoken-no-expiration
Updated community tier rules
- Fixed taint source to focus on function argument in csharp.dotnet.security.audit.mass-assignment.mass-assignment.
- Updated various secrets-related rules:
- Added more patterns for hardcoded secrets in
express-sessionjavascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret. - Added more import patterns to catch more cases javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret.
- Changed from ERROR to WARNING javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret.
- Updated to highlight smaller, relevant ranges of code:
- False positive (FP) reduction, updated in taint mode to provide more context:
- Added more patterns for hardcoded secrets in
- Updated to work with multi flags such as
-yqqin dockerfile.correctness.missing-assume-yes-switch.missing-assume-yes-switch. - Updated to taint mode and added more filesystem sources javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename.
- Restricted sources to remove unlikely user input ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call.
- Added a pattern for
escapeHtml={false}typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html. - Added a pattern for detecting manual user-supplied inputs yaml.github-actions.security.run-shell-injection.run-shell-injection.
- Updated to highlight smaller, relevant ranges of code:
- FP reduction: updated to taint mode to provide more context:
- javascript.express.security.audit.xss.direct-response-write.direct-response-write
- javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
- javascript.lang.security.detect-child-process.detect-child-process
- javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret
- typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method
- typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property
Deprecated community tier rules
Semgrep does no longer match anything with the following rules:
- javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials
- javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials
- javascript.lang.security.audit.non-constant-sql-query.non-constant-sql-query
- python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape
Team tier
New Team tier rules
- javascript.express.express-child-process.express-child-process
- javascript.express.express-fs-filename.express-fs-filename
- typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key
New Go rules:
- go.net.active-debug-code.print-stack-trace.print-stack-trace
- go.net.active-debug-code.write-pprof-profile-output.write-pprof-profile-output
- go.net.command-injection.net-http-command-injection-taint.net-http-command-injection-taint
- go.net.sql.go-vanillasql-format-string-sqli-taint.go-vanillasql-format-string-sqli-taint
- go.net.sql.pg-orm-sqli-taint.pg-orm-sqli-taint
- go.net.sql.pg-sqli-taint.pg-sqli-taint
- go.net.sql.pgx-sqli-taint.pgx-sqli-taint
- go.net.ssrf.http-ssrf-taint.http-ssrf-taint
- go.net.xss.formatted-template-string-taint.formatted-template-string-taint
- go.net.xss.no-direct-write-to-responsewriter-taint.no-direct-write-to-responsewriter-taint
- go.net.xxe.libxml2-xxe-taint.libxml2-xxe-taint
New secrets detection rules which try to resolve cases with hardcoded strings used as a secrets in code:
- csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret
- csharp.lang.security.system.directoryentry-hardcoded-secret.directoryentry-hardcoded-secret
- csharp.lang.security.system.networkcredential-hardcoded-secret.networkcredential-hardcoded-secret
- csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret
- csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret
- csharp.lang.security.system.sqlconnection-hardcoded-secret.sqlconnection-hardcoded-secret
- csharp.lang.security.system.sqlconnectionstringbuilder-hardcoded-secret.sqlconnectionstringbuilder-hardcoded-secret
- csharp.mongo.csharp-mongo-hardcoded-secret.csharp-mongo-hardcoded-secret
- csharp.postgres.npgsqlconnectionstringbuilder-hardcoded-secret.npgsqlconnectionstringbuilder-hardcoded-secret
- java.jsch.jsch-hardcoded-secret.jsch-hardcoded-secret
- java.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret
- java.lang.security.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret
- java.lang.security.system.system-setproperty-hardcoded-secret.system-setproperty-hardcoded-secret
- java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret
- java.mysql.mysql-jdbc-hardcoded-secret.mysql-jdbc-hardcoded-secret
- javascript.knex.node-knex-hardcoded-secret.node-knex-hardcoded-secret
- javascript.mongoose.node-mongoose-hardcoded-secret.node-mongoose-hardcoded-secret
- javascript.mssql.node-mysql-hardcoded-secret.node-mssql-hardcoded-secret
- javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret
- javascript.pg.node-pg-hardcoded-secret.node-pg-hardcoded-secret
- javascript.sequelize.node-sequelize-hardcoded-secret.node-sequelize-hardcoded-secret
- python.ldap3.python-ldap3-hardcoded-secret.python-ldap3-hardcoded-secret
- python.mysql.python-mysql-hardcoded-secret.python-mysql-hardcoded-secret
- python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret
- python.pyjwt.python-pyjwt-hardcoded-secret.python-pyjwt-hardcoded-secret
- python.pymongo.python-mongo-hardcoded-secret.python-mongo-hardcoded-secret
- python.pymongo.python-pymongo-hardcoded-secret.python-pymongo-hardcoded-secret
- python.pymysql.python-pymysql-hardcoded-secret.python-pymysql-hardcoded-secret
- python.sqlalchemy.python-sqlalchemy-hardcoded-secret.python-sqlalchemy-hardcoded-secret
- python.tormysql.python-tormysql-hardcoded-secret.python-tormysql-hardcoded-secret
- python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret
Updated Team tier rules
Added more sinks for the following rules:
- paid.paid.typescript.react.react-refs-prop.react-refs-prop
- paid.paid.typescript.react.react-refs-url.react-refs-url
July 2022
New rules from Segmrep community and Semgrep, Inc
New rules from Semgrep community:
- Thanks to @securecodeninja!
- csharp.dotnet.security.audit.mass-assignment
- csharp.lang.security.cryptography.unsigned-security-token
- csharp.lang.security.open-redirect
- csharp.lang.security.stacktrace-disclosure
- csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization
- csharp.dotnet.security.audit.open-directory-listing.open-directory-listing
- csharp.dotnet.security.audit.misconfigured-lockout-option.misconfigured-lockout-option
- csharp.dotnet.security.audit.razor-use-of-htmlstring.razor-use-of-htmlstring
- csharp.dotnet.security.audit.ldap-injection
- csharp.dotnet.security.audit.xpath-injection
New rules have been added with taint sources:
- python.lang.security.audit.dangerous-asyncio-create-exec-tainted-env-args
- python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args
- python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args
- python.lang.security.audit.dangerous-code-run-tainted-env-args
- python.lang.security.audit.dangerous-os-exec-tainted-env-args
- python.lang.security.audit.dangerous-spawn-process-tainted-env-args
- python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args
- python.lang.security.audit.dangerous-subprocess-use-tainted-env-args
- python.lang.security.audit.dangerous-system-call-tainted-env-args
There are now 80 team tier only rules covering Java, PHP, JavaScript, and TypeScript available in the Semgrep Registry. These rules are designed to have higher precision and lower false positive rates.
Rule changes and updates
Added additional import scenarios for os.system python.lang.security.audit.dangerous-system-call
Rewritten with taint mode:
Updated precision of source with
focus-metavariable:Added additional filters for acceptable SSL policies: terraform.aws.security.insecure-load-balancer-tls-version
Added sanitizers: typescript.angular.security.audit.angular-domsanitizer
Added sanitizers, added constant string filter: typescript.react.security.audit.react-dangerouslysetinnerhtml
Uses taint mode to remove uninteresting sources: typescript.react.security.audit.react-href-var
Remove for loop case due to high false positive (FP) rate: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
FP reduction by removing cases where user input is likely a number type:
Exclude Error and Exception classes from results: ruby.lang.security.model-attributes-attr-accessible
FP reduction: more specific sources: typescript.angular.security.audit.angular-domsanitizer
FP reduction by limiting to more specific cases: typescript.react.security.audit.react-dangerouslysetinnerhtml
Removed 1 case with high FP likelihood: typescript.react.security.audit.react-href-var
Altered behavior:
Removed FPs:
Removed FPs: python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse
Fixed bug: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection
Removed FPs: terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered
Reduced severity to INFO:
- typescript.react.security.audit.react-jwt-decoded-property
- typescript.react.security.audit.react-jwt-in-localstorage
- typescript.react.security.audit.react-missing-noopener
- typescript.react.security.audit.react-missing-noreferrer
Limit sources to specific properties of Request object rather than all properties:
- javascript.express.security.audit.express-libxml-noent
- avascript.express.security.audit.express-path-join-resolve-traversal
- javascript.express.security.audit.remote-property-injection
- javascript.express.security.cors-misconfiguration
- javascript.express.security.express-data-exfiltration
- javascript.express.security.express-expat-xxe
- javascript.express.security.express-insecure-template-usage
- javascript.express.security.express-sandbox-injection
- javascript.express.security.express-vm-injection
- javascript.express.security.express-vm2-injection
- javascript.express.security.injection.raw-html-format
- javascript.express.security.x-frame-options-misconfiguration
The python.lang.security.audit.dangerous rules have been reworked. All Python -dangerous- rules have had their confidence level changed to LOW. Renamed rules:
- python.lang.security.audit.dangerous-asyncio-create-exec renamed to python.lang.security.audit.dangerous-asyncio-create-exec-audit
- python.lang.security.audit.dangerous-asyncio-exec renamed to python.lang.security.audit.dangerous-asyncio-exec-audit
- python.lang.security.audit.dangerous-asyncio-shell renamed to python.lang.security.audit.dangerous-asyncio-shell-audit
- python.lang.security.audit.dangerous-code-run renamed to python.lang.security.audit.dangerous-code-run-audit
- python.lang.security.audit.dangerous-os-exec renamed to python.lang.security.audit.dangerous-os-exec-audit
- python.lang.security.audit.dangerous-spawn-process renamed to python.lang.security.audit.dangerous-spawn-process-audit
- python.lang.security.audit.dangerous-subinterpreters-run-string renamed to python.lang.security.audit.dangerous-subinterpreters-run-string-audit
- python.lang.security.audit.dangerous-subprocess-use renamed to python.lang.security.audit.dangerous-subprocess-use-audit
- python.lang.security.audit.dangerous-system-call renamed to python.lang.security.audit.dangerous-system-call-audit
- python.lang.security.audit.dangerous-testcapi-run-in-subinterp renamed to python.lang.security.audit.dangerous-testcapi-run-in-subinterp-audit
Added to p/default (p/default are rules that run automatically with semgrep --config p/default):
- javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization
- javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
- javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing
- javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage
- javascript.express.security.audit.express-libxml-noent.express-libxml-noent
- javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent
- javascript.express.security.audit.express-res-sendfile.express-res-sendfile
- javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret
- javascript.express.security.audit.express-ssrf.express-ssrf
- javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization
- javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event
- javascript.express.security.audit.remote-property-injection.remote-property-injection
- javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key
- javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection
Removed from p/default in Semgrep Registry:
Expand the list with all removed rules
- ajinabraham.njsscan.archive_path_overwrite.admzip_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.tar_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite2- ajinabraham.njsscan.buffer_noassert.buffer_noassert- ajinabraham.njsscan.crypto_node.node_aes_ecb- ajinabraham.njsscan.crypto_node.node_aes_noiv- ajinabraham.njsscan.crypto_node.node_insecure_random_generator- ajinabraham.njsscan.crypto_node.node_md5- ajinabraham.njsscan.crypto_node.node_sha1- ajinabraham.njsscan.crypto_node.node_weak_crypto- ajinabraham.njsscan.error_disclosure.node_error_disclosure- ajinabraham.njsscan.eval_deserialize.node_deserialize- ajinabraham.njsscan.eval_deserialize.serializetojs_deserialize- ajinabraham.njsscan.eval_drpc_deserialize.grpc_insecure_connection- ajinabraham.njsscan.eval_grpc_deserialize.grpc_insecure_connection- ajinabraham.njsscan.eval_node.eval_nodejs- ajinabraham.njsscan.eval_require.eval_require- ajinabraham.njsscan.eval_sandbox.sandbox_code_injection- ajinabraham.njsscan.eval_vm2_injection.vm2_code_injection- ajinabraham.njsscan.eval_vm2_injection.vm2_context_injection- ajinabraham.njsscan.eval_vm_injection.vm_code_injection- ajinabraham.njsscan.eval_vm_injection.vm_compilefunction_injection- ajinabraham.njsscan.eval_vm_injection.vm_runincontext_injection- ajinabraham.njsscan.eval_vm_injection.vm_runinnewcontext_injection- ajinabraham.njsscan.eval_yaml_deserialize.yaml_deserialize- ajinabraham.njsscan.exec_os_command.generic_os_command_exec- ajinabraham.njsscan.exec_os_command.generic_os_command_exec2- ajinabraham.njsscan.exec_shelljs.shelljs_os_command_exec- ajinabraham.njsscan.express_bodyparser_dos.express_bodyparser- ajinabraham.njsscan.express_hbs_lfr.express_lfr- ajinabraham.njsscan.express_hbs_lfr.express_lfr_warning- ajinabraham.njsscan.good_anti_csrf.anti_csrf_control- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_crossdomain- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_csp- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_expect_ct- ajinabraham.njsscan.good_helmet_checks.helmet_header_dns_prefetch- ajinabraham.njsscan.good_helmet_checks.helmet_header_feature_policy- ajinabraham.njsscan.good_helmet_checks.helmet_header_frame_guard- ajinabraham.njsscan.good_helmet_checks.helmet_header_hsts- ajinabraham.njsscan.good_helmet_checks.helmet_header_ienoopen- ajinabraham.njsscan.good_helmet_checks.helmet_header_nosniff- ajinabraham.njsscan.good_helmet_checks.helmet_header_referrer_policy- ajinabraham.njsscan.good_helmet_checks.helmet_header_x_powered_by- ajinabraham.njsscan.good_helmet_checks.helmet_header_xss_filter- ajinabraham.njsscan.good_ratelimiting.rate_limit_control- ajinabraham.njsscan.hardcoded_passport.hardcoded_passport_secret- ajinabraham.njsscan.header_cookie.cookie_session_default- ajinabraham.njsscan.header_cookie.cookie_session_no_domain- ajinabraham.njsscan.header_cookie.cookie_session_no_httponly- ajinabraham.njsscan.header_cookie.cookie_session_no_maxage- ajinabraham.njsscan.header_cookie.cookie_session_no_path- ajinabraham.njsscan.header_cookie.cookie_session_no_samesite- ajinabraham.njsscan.header_cookie.cookie_session_no_secure- ajinabraham.njsscan.header_cors_star.express_cors- ajinabraham.njsscan.header_cors_star.generic_cors- ajinabraham.njsscan.header_helmet_disabled.helmet_feature_disabled- ajinabraham.njsscan.header_injection.generic_header_injection- ajinabraham.njsscan.header_xss_protection.header_xss_generic- ajinabraham.njsscan.header_xss_protection.header_xss_lusca- ajinabraham.njsscan.host_header_injection.host_header_injection- ajinabraham.njsscan.jwt_exposed_credentials.jwt_exposed_credentials- ajinabraham.njsscan.jwt_exposed_data.jwt_exposed_data- ajinabraham.njsscan.jwt_express_hardcoded.jwt_express_hardcoded- ajinabraham.njsscan.jwt_hardcoded.hardcoded_jwt_secret- ajinabraham.njsscan.jwt_none_algorithm.node_jwt_none_algorithm- ajinabraham.njsscan.jwt_not_revoked.jwt_not_revoked- ajinabraham.njsscan.layer7_object_dos.layer7_object_dos- ajinabraham.njsscan.logic_bypass.node_logic_bypass- ajinabraham.njsscan.nosql_injection.node_nosqli_js_injection- ajinabraham.njsscan.path_traversal.generic_path_traversal- ajinabraham.njsscan.regex_dos.regex_dos- ajinabraham.njsscan.regex_injection.regex_injection_dos- ajinabraham.njsscan.resolve_path_traversal.join_resolve_path_traversal- ajinabraham.njsscan.security_electron.electron_allow_http- ajinabraham.njsscan.security_electron.electron_blink_integration- ajinabraham.njsscan.security_electron.electron_context_isolation- ajinabraham.njsscan.security_electron.electron_disable_websecurity- ajinabraham.njsscan.security_electron.electron_experimental_features- ajinabraham.njsscan.security_electron.electron_nodejs_integration- ajinabraham.njsscan.security_electronjs.electron_allow_http- ajinabraham.njsscan.security_electronjs.electron_blink_integration- ajinabraham.njsscan.security_electronjs.electron_context_isolation- ajinabraham.njsscan.security_electronjs.electron_disable_websecurity- ajinabraham.njsscan.security_electronjs.electron_experimental_features- ajinabraham.njsscan.security_electronjs.electron_nodejs_integration- ajinabraham.njsscan.sequelize_tls.sequelize_tls- ajinabraham.njsscan.sequelize_tls_validation.sequelize_tls_cert_validation- ajinabraham.njsscan.sequelize_weak_tls.sequelize_weak_tls- ajinabraham.njsscan.server_side_template_injection.server_side_template_injection- ajinabraham.njsscan.sql_injection.node_knex_sqli_injection- ajinabraham.njsscan.sql_injection.node_sqli_injection- ajinabraham.njsscan.sql_injection_knex.node_knex_sqli_injection- ajinabraham.njsscan.ssrf_node.node_ssrf- ajinabraham.njsscan.ssrf_phantomjs.phantom_ssrf- ajinabraham.njsscan.ssrf_playwright.playwright_ssrf- ajinabraham.njsscan.ssrf_puppeteer.puppeteer_ssrf- ajinabraham.njsscan.ssrf_wkhtmltoimage.wkhtmltoimage_ssrf- ajinabraham.njsscan.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf- ajinabraham.njsscan.timing_attack_node.node_timing_attack- ajinabraham.njsscan.tls_node.node_curl_ssl_verify_disable- ajinabraham.njsscan.tls_node.node_tls_reject- ajinabraham.njsscan.xml_entity_expansion_dos.node_entity_expansion- ajinabraham.njsscan.xpathi_node.node_xpath_injection- ajinabraham.njsscan.xss_mustache_escape.xss_disable_mustache_escape- ajinabraham.njsscan.xss_node.express_xss- ajinabraham.njsscan.xss_serialize_js.xss_serialize_javascript- ajinabraham.njsscan.xss_templates.handlebars_noescape- ajinabraham.njsscan.xss_templates.handlebars_safestring- ajinabraham.njsscan.xss_templates.squirrelly_autoescape- ajinabraham.njsscan.xxe_expat.xxe_expat- ajinabraham.njsscan.xxe_node.node_xxe- ajinabraham.njsscan.xxe_sax.xxe_sax- ajinabraham.njsscan.xxe_xml2json.xxe_xml2json- contrib.dlint.dlint-equivalent.insecure-commands-use- contrib.dlint.dlint-equivalent.insecure-compile-use- contrib.dlint.dlint-equivalent.insecure-cryptography-attribute-use- contrib.dlint.dlint-equivalent.insecure-dl-use- contrib.dlint.dlint-equivalent.insecure-duo-client-use- contrib.dlint.dlint-equivalent.insecure-eval-use- contrib.dlint.dlint-equivalent.insecure-exec-use- contrib.dlint.dlint-equivalent.insecure-gl-use- contrib.dlint.dlint-equivalent.insecure-hashlib-use- contrib.dlint.dlint-equivalent.insecure-itsdangerous-use- contrib.dlint.dlint-equivalent.insecure-marshal-use- contrib.dlint.dlint-equivalent.insecure-onelogin-attribute-use- contrib.dlint.dlint-equivalent.insecure-os-exec-use- contrib.dlint.dlint-equivalent.insecure-os-temp-use- contrib.dlint.dlint-equivalent.insecure-pickle-use- contrib.dlint.dlint-equivalent.insecure-popen2-use- contrib.dlint.dlint-equivalent.insecure-pycrypto-use- contrib.dlint.dlint-equivalent.insecure-requests-use- contrib.dlint.dlint-equivalent.insecure-shelve-use- contrib.dlint.dlint-equivalent.insecure-simplexmlrpcserver-use- contrib.dlint.dlint-equivalent.insecure-ssl-use- contrib.dlint.dlint-equivalent.insecure-subprocess-use- contrib.dlint.dlint-equivalent.insecure-tarfile-use- contrib.dlint.dlint-equivalent.insecure-tempfile-use- contrib.dlint.dlint-equivalent.insecure-urllib3-connections-use- contrib.dlint.dlint-equivalent.insecure-urllib3-warnings-use- contrib.dlint.dlint-equivalent.insecure-xml-use- contrib.dlint.dlint-equivalent.insecure-xmlsec-attribute-use- contrib.dlint.dlint-equivalent.insecure-yaml-use- contrib.dlint.dlint-equivalent.insecure-zipfile-use- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-npm- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pip- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pipenv- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn- generic.html-templates.security.var-in-href.var-in-href- generic.nginx.security.request-host-used.request-host-used- generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account- javascript.browser.security.raw-html-join.raw-html-join- javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event- javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect- javascript.express.security.audit.remote-property-injection.remote-property-injection- javascript.express.security.audit.res-render-injection.res-render-injection- javascript.express.security.audit.xss.mustache.var-in-script-tag.var-in-script-tag- javascript.lang.correctness.no-replaceall.no-replaceall- javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment.prototype-pollution-assignment- javascript.lang.security.detect-non-literal-require.detect-non-literal-require- javascript.sequelize.security.audit.sequelize-raw-query.sequelize-raw-query- python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe- python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var- typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer- typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property
Other:
- Fixed message typo: javascript.lang.best-practice.leftover_debugging
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.