- Semgrep Code
- Team & Enterprise Tier
Semgrep Pro rules
This article provides an overview of rules provided exclusively by Semgrep, Inc. called Semgrep Pro rules. These high-confidence, professionally maintained rules are a proprietary addition to Semgrep Registry.
Kinds of rules in the Semgrep Registry
The Semgrep Registry includes the following kinds of rules:
- Community rules - reviewed by the Semgrep team, these rules consist of contributions from Semgrep’s community. Community rules encompass a wide array of rules, including many that are made for security auditors.
- Third-party rules - created directly by external contributors such as Trail of Bits, GitLab and many more.
- Private rules - rules that can be authored and published by your own organization and for use only by your organization.
- Pro rules - proprietary rules created by the Semgrep team targeted for security and software engineers who need accurate findings. These rules provide increased coverage for many programming languages and use the latest Semgrep features.
Introduction
The goal of Pro rules is to provide a set of well-supported rules with improved coverage across languages and vulnerability types. Semgrep Pro rules are written using Semgrep’s latest features and, in general, target users who are looking to produce highly accurate, actionable findings.
Semgrep Pro rules content
Semgrep Pro rules provide improved coverage for many languages, including Java, JavaScript, TypeScript, Python, PHP, Ruby, C#, Swift, and Go.
After using Semgrep Pro rules, you will see improved findings across many languages on specific classes of vulnerabilities (such as hard-coded secrets, injection vulnerabilities, deserialization, XXE, and many others) as well as increased support for frameworks and technologies (such as Express, Spring, Java Servlets, Laravel, Go net/http, React, Next.js, Angular).
Semgrep's Security Research team plans to keep improving coverage by adding support for more languages and popular frameworks, as well as reducing potential false positives by monitoring rules’ performance.
See the Rule updates for an overview of updates and improvements released by Semgrep, Inc. for Semgrep’s rules, including Semgrep Pro rules.
Using Semgrep Pro rules
You can use Semgrep Pro rules in both Semgrep Cloud Platform (SCP) and your own CLI or CI environment (without SCP).
- To use Pro Rules with Semgrep Cloud Platform, add them to your Policies page. The rules are then included in your next scan.
- To use Pro Rules in your own CI or CLI environment, add the rules or rulesets through the
--configflag.
Rules that don't apply to your target repository's language or framework are skipped automatically even if they are in your Policies page. For example, if your repository contains JavaScript code and you have added Go rules, the Go rules are unused. Unused rules do not add to scan time.
Adding Semgrep Pro rules in CLI or CI
For CLI users: You must be logged in.
- Go to Semgrep Registry.
- Click on Visibility > Pro rules.
- Optional: Apply additional filters by entering search terms in the search box or selecting filters from drop-down boxes.
- For a single rule, click on the rule's card > Run locally. For rulesets, click the card.
- Copy and paste the snippet to your CLI or CI configuration file. You can add several rulesets. Refer to the following sample snippet:
Adding Semgrep Pro rules in SCP through Semgrep Registry
- Sign in to Semgrep Cloud Platform.
- Go to Semgrep Registry.
- Click on Visibility > Pro rules.
- Optional: Apply additional filters by entering search terms in the search box or selecting filters from drop-down boxes.
- To add a specific rule or ruleset:
- Click on the card for the rule or ruleset > Add to Policy.
- Select a Policy rule mode to add the rules to. It is recommended to start with the Monitor mode to silently gather findings and audit the rule's performance.
Filtering behavior
- Filter types such as Language and Technology use AND logic. This means that search terms must match all filters. For example, selecting Java (a Language) and security (a Category) shows only rules with both properties (Java and security).
- Adding filters of the same type use OR logic. This means that search terms can match any of the filters for that type. For example, selecting Java and Python (both languages) shows rules with either language.
- A gem icon (💎) denotes Semgrep Pro rules.
Removing or disabling Semgrep Pro rules
Disabling rules
To disable an individual rule, follow these steps:
- In Semgrep Cloud Platform, click Rules > Policies.
- Click the checkbox of the rule to disable.
- Click Edit > Disabled.
Removing rulesets
You can disable a specific rule or ruleset to prevent Semgrep Code from using it when scanning your codebase.
When you disable a rule, existing findings from that rule remains open until you re-scan your code.
Disable a ruleset using the Policies page
- In Semgrep Cloud Platform, click Rules > Policies.
- From the Ruleset drop-down box, click the ruleset to remove.
- Click the Matching rules.
- Click Change modes > Disabled.
Disable a rule using the Findings page while in Group by rule view
Follow these steps to remove a rule in the Group by rule view:
- Go to the Semgrep Cloud Platform Findings page.
- Next to a finding with status Open, click Details.
- Click Open > Disable rule....
- Click the Disable from policy checkbox.
- Click Ignore.
Disable a rule using the Findings page while in No grouping view
To remove a rule in the No grouping view, perform the following steps:
- Go to the Semgrep Cloud Platform Findings page.
- Next to a finding with status Open, click Open > Disable rule... > Disable from policy.
- Click Ignore.
Losing access to Semgrep Pro rules
You lose access to Semgrep Pro rules and their future improvements if you choose not to renew your Team or Enterprise tier plan.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.