Skip to main content
  • Semgrep Code
  • Team & Enterprise Tier

Semgrep Pro rules

This article provides an overview of rules provided exclusively by r2c called Semgrep Pro rules. These high-confidence, professionally maintained rules are a proprietary addition to Semgrep Registry. They are available in the Team tier or higher.

Kinds of rules in the Semgrep Registry

The Semgrep Registry includes the following kinds of rules:

  • Community rules - reviewed by r2c, these rules consist of contributions from Semgrep’s community. Community rules encompass a wide array of rules, including many that are made for security auditors.
  • Third-party rules - created directly by external contributors such as Trail of Bits, GitLab and many more.
  • Private rules - rules that can be authored and published by your own organization and for use only by your organization.
  • Pro rules - proprietary rules created by r2c targeted for security and software engineers who need accurate findings. These rules provide increased coverage for many programming languages and use the latest Semgrep features.

Introduction

The goal of Pro rules is to provide a set of well-supported rules with improved coverage across languages and vulnerability types. Semgrep Pro rules are written using Semgrep’s latest features and, in general, target users who are looking to produce highly accurate, actionable findings.

Semgrep Pro rules content

Semgrep Pro rules provide improved coverage for many languages, including Java, JavaScript, TypeScript, Python, PHP, Ruby, C#, Swift, and Go.

After using Semgrep Pro rules, you will see improved findings across many languages on specific classes of vulnerabilities (such as hard-coded secrets, injection vulnerabilities, deserialization, XXE, and many others) as well as increased support for frameworks and technologies (such as Express, Spring, Java Servlets, Laravel, Go net/http, React, Next.js, Angular).

r2c’s Security Research team plans to keep improving coverage by adding support for more languages and popular frameworks, as well as reducing potential false positives by monitoring rules’ performance.

info

See the Rule updates for an overview of updates and improvements released by r2c for Semgrep’s rules, including Semgrep Pro rules.

Using Semgrep Pro rules

You can use Semgrep Pro rules in both Semgrep Cloud Platform (SCP) and your own CLI or CI environment (without SCP).

  • To use Pro Rules with Semgrep Cloud Platform, add them to your Rule Board. The rules are then included in your next scan.
  • To use Pro Rules in your own CI or CLI environment, add the rules or rulesets through the --config flag.
info

Rules that don't apply to your target repository's language or framework are skipped automatically even if they are in your Rule board. For example, if your repository contains JavaScript code and you have added Go rules, the Go rules are unused. Unused rules do not add to scan time.

Adding Semgrep Pro rules in CLI or CI

Prerequisites

For CLI users: You must be logged in.

  1. Go to Semgrep Registry.
  2. Click on Visibility > Pro rules.
  3. Optional: Apply additional filters by entering search terms in the search box or selecting filters from drop-down boxes.
  4. For a single rule, click on the rule's card > Run locally. For rulesets, click the card.
  5. Copy and paste the snippet to your CLI or CI configuration file. You can add several rulesets. Refer to the following sample snippet:

Adding Semgrep Pro rules in SCP through Semgrep Registry

  1. Sign in to Semgrep Cloud Platform.
  2. Go to Semgrep Registry.
  3. Click on Visibility > Pro rules.
  4. Optional: Apply additional filters by entering search terms in the search box or selecting filters from drop-down boxes.
  5. To add a specific rule or ruleset:
    1. Click on the card for the rule or ruleset > Add to Rule board.
    2. Select a Rule Board column to add the rules to. It is recommended to start with the Monitor column to silently gather findings and audit the rule's performance.

Filtering behavior

  • Filter types such as Language and Technology use AND logic. This means that search terms must match all filters. For example, selecting Java (a Language) and security (a Category) shows only rules with both properties (Java and security).
  • Adding filters of the same type use OR logic. This means that search terms can match any of the filters for that type. For example, selecting Java and Python (both languages) shows rules with either language.
  • A gem icon (💎) denotes Semgrep Pro rules.

Removing or disabling Semgrep Pro rules

Disabling rules or rulesets

To disable an individual rule, follow these steps:

  1. In Semgrep Cloud Platform, click Rule board.
  2. Click the ruleset that contains a rule you want to disable.
  3. Click the toggle next to the rule. Screenshot of a disabled rule in a ruleset
info
  • You can only disable individual rules that are part of rulesets in your rule board.
  • You can also reverse the described procedure to enable disabled rules in rulesets.

Removing rules or rulesets

To remove a rule from the Rule board:

  1. In Semgrep Cloud Platform, click Rule board.
  2. Click the ruleset that contains the rule.
  3. Click the Remove ruleset icon next to the rule you're deleting.
  4. Click Save.
info
  • Individual rules within rulesets can only be disabled, not deleted. To disable an individual rule in Rule board, click the toggle to disable the rule. See also Disabling rules.
  • When you remove a rule from the Rule Board, all associated findings on Findings page and Dashboard page are removed also.

You can also remove a rule on the Findings page, to do so, follow these steps:

  1. Go to the Semgrep Cloud Platform Findings page.
  2. Next to a finding with status Open, click the Ignore .
  3. Optional: Select a reason of why you are ignoring a finding. Choose either: False positive, Acceptable risk, No time to fix
  4. Click Save.
  5. Optional: Select whether you want to ignore all findings in Just this file, This directory, or Parent directory.
  6. Enable the checkbox to: Remove this rule from Rule board. This removes the related rule that matched the finding.

Losing access to Semgrep Pro rules

You lose access to Semgrep Pro rules and their future improvements if you choose not to renew your Team or Enterprise tier plan.


Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.